CVE-2018-1312

Public on 2018-05-03
Modified on 2018-05-03
Description
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.
Severity
Low
CVSS v3 Base Score
4.2
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 httpd24 2018-05-03 16:29 ALAS-2018-1004

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.2 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
NVD CVSSv2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
NVD CVSSv3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H