mod_nss 1.0.8 and earlier, when NSSVerifyClient is set to none for the server/vhost context, does not enforce the NSSVerifyClient setting in the directory context, which allows remote attackers to bypass intended access restrictions.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | mod24_nss | 2013-12-03 13:00 | ALAS-2013-254 |
Amazon Linux 1 | mod_nss | 2013-12-03 13:00 | ALAS-2013-253 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv2 | 4.0 | AV:N/AC:H/Au:N/C:P/I:P/A:N |
NVD | CVSSv2 | 4.0 | AV:N/AC:H/Au:N/C:P/I:P/A:N |