A flaw was found in Apache HTTP Server 2.4 (releases 2.4.37 and 2.4.38). A bug in mod_ssl, when using per-location client certificate verification with TLSv1.3, allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions. An attacker could perform various unauthorized actions after bypassing the restrictions. The highest threat from this vulnerability is to data confidentiality and integrity.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 2 - Core | httpd | 2019-04-04 21:49 | ALAS2-2019-1189 |
Amazon Linux 1 | httpd24 | 2019-04-05 20:05 | ALAS-2019-1189 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv3 | 6.8 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
NVD | CVSSv2 | 6.0 | AV:N/AC:M/Au:S/C:P/I:P/A:P |
NVD | CVSSv3 | 7.5 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |