CVE-2017-3167

CWE-287 — Improper Authentication12 documents9 sources

Severity

9.8CRITICAL

EPSS

10.3%

top 6.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apple MAC OS X Apache Software Foundation Apache Http Server +9 more

Timeline

PublishedJun 20

Latest updateMay 13

Description

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages10 packages

▶NVDapache/http_server2.2.0 — 2.2.33+1

▶Debianapache2< 2.4.25-4+3

▶Ubuntuapache2< 2.4.7-1ubuntu4.16+1

▶CVEListV5apache_software_foundation/apache_http_server2.2.0 to 2.2.32, 2.4.0 to 2.4.25+1

▶NVDapple/mac_os_x< 10.13.1

Also affects: Debian Linux 8.0, 9.0, Enterprise Linux 6.7, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-9mgw-4qp5-wrrj: In Apache httpd 2↗2022-05-13

▶

OSV

apache2 vulnerabilities↗2017-06-26

▶

OSV

CVE-2017-3167: In Apache httpd 2↗2017-06-20

▶

CVEList

CVE-2017-3167: In Apache httpd 2↗2017-06-20

▶

📋Vendor Advisories

Apple

CVE-2017-3167: macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan↗2017-10-31

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2017-07-31

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2017-06-26

▶

Red Hat

httpd: ap_get_basic_auth_pw() authentication bypass↗2017-06-20

▶

Debian

CVE-2017-3167: apache2 - In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_b...↗2017

▶

💬Community

Bugzilla

CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668 CVE-2017-7679 httpd: various flaws [fedora-all]↗2017-06-20

▶

Bugzilla

CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass↗2017-06-20

▶