CVE-2018-1312

CWE-287 — Improper Authentication CWE-30512 documents9 sources

Severity

9.8CRITICAL

EPSS

7.3%

top 8.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Http Server Apache Http Server Canonical Ubuntu Linux +8 more

Timeline

PublishedMar 26

Latest updateMay 13

Description

In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

▶NVDapache/http_server19 versions+18

▶CVEListV5apache_software_foundation/apache_http_server2.0.42 to 2.4.29

▶Debianapache2< 2.4.33-1+3

▶NVDredhat/jboss_core_services1.0

▶NVDredhat/enterprise_linux_server7.0

Also affects: Debian Linux 7.0, 8.0, 9.0, Ubuntu Linux 12.04, 14.04, 16.04, 17.10, 18.04, Enterprise Linux 7.6

🔴Vulnerability Details

GHSA

GHSA-hvff-4fq3-p325: In Apache httpd 2↗2022-05-13

▶

OSV

CVE-2018-1312: In Apache httpd 2↗2018-03-26

▶

CVEList

CVE-2018-1312: In Apache httpd 2↗2018-03-26

▶

📋Vendor Advisories

Ubuntu

Apache vulnerabilities↗2019-04-10

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2018-04-30

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2018-04-19

▶

Red Hat

httpd: Weak Digest auth nonce generation in mod_auth_digest↗2018-03-21

▶

Debian

CVE-2018-1312: apache2 - In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication c...↗2018

▶

💬Community

Bugzilla

CVE-2018-1312 httpd: Weak Digest auth nonce generation in mod_auth_digest [fedora-all]↗2018-03-26

▶

Bugzilla

CVE-2018-1312 httpd: Weak Digest auth nonce generation in mod_auth_digest↗2018-03-26

▶