CVE-2019-0215 — Improper Access Control in Apache Http Server

CWE-284 — Improper Access Control8 documents7 sources

Severity

7.5HIGHNVD

EPSS

7.5%

top 8.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Http Server Fedoraproject Fedora

Timeline

PublishedApr 8

Latest updateMay 13

Description

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/http_server2.4.37, 2.4.38+1

▶CVEListV5apache/apache_http_server2.4.37, 2.4.38+1

Also affects: Fedora 29, 30

🔴Vulnerability Details

GHSA

GHSA-xpmg-8256-c52g: In Apache HTTP Server 2↗2022-05-13

▶

CVEList

CVE-2019-0215: In Apache HTTP Server 2↗2019-04-08

▶

OSV

CVE-2019-0215: In Apache HTTP Server 2↗2019-04-08

▶

📋Vendor Advisories

Red Hat

httpd: mod_ssl: access control bypass when using per-location client certification authentication↗2019-04-01

▶

Debian

CVE-2019-0215: apache2 - In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when usin...↗2019

▶

💬Community

Bugzilla

CVE-2019-0215 CVE-2019-0217 CVE-2019-0220 httpd: various flaws [fedora-all]↗2019-04-02

▶

Bugzilla

CVE-2019-0215 httpd: mod_ssl: access control bypass when using per-location client certification authentication↗2019-04-02

▶