CVE-2018-1283
published 2018-03-26CVE-2018-1283: In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user…
medium5.3CVSS 3.0
AVNACHPRLUINSUCNIHAN
In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | http_server | 2.4.0 – 2.4.29 | — |
| apache_software_foundation | apache_http_server | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | apache2 | < apache2 2.4.33-1 (bookworm) | apache2 2.4.33-1 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH