The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the "SSLCipherSuite" directive in directory or location context, allows remote clients to bypass intended restrictions by using any cipher suite that is allowed by the virtual host configuration.
http://issues.apache.org/bugzilla/show_bug.cgi?id=31505
http://lists.apple.com/archives/security-announce/2005//Aug/msg00001.html
http://lists.apple.com/archives/security-announce/2005/Aug/msg00000.html
http://marc.info/?l=bugtraq&m=109786159119069&w=2
http://secunia.com/advisories/19072
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1
http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
http://www.apacheweek.com/features/security-20
http://www.redhat.com/support/errata/RHSA-2004-562.html
http://www.redhat.com/support/errata/RHSA-2004-600.html
http://www.redhat.com/support/errata/RHSA-2005-816.html
http://www.redhat.com/support/errata/RHSA-2008-0261.html
http://www.securityfocus.com/bid/11360
http://www.ubuntu.com/usn/usn-177-1
http://www.vupen.com/english/advisories/2006/0789
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01123
https://exchange.xforce.ibmcloud.com/vulnerabilities/17671
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10384
Source: MITRE
Published: 2004-11-03
Updated: 2017-10-11
Type: NVD-CWE-Other
Base Score: 7.5
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Impact Score: 6.4
Exploitability Score: 10
Severity: HIGH
OR
cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.47:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.48:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.49:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.0.50:*:*:*:*:*:*:*
ID | Name | Product | Family | Severity |
---|---|---|---|---|
63857 | RHEL 3 / 4 : Proxy Server (RHSA-2008:0523) | Nessus | Red Hat Local Security Checks | high |
43837 | RHEL 3 / 4 : Satellite Server (RHSA-2008:0524) | Nessus | Red Hat Local Security Checks | critical |
43835 | RHEL 4 : Satellite Server (RHSA-2008:0261) | Nessus | Red Hat Local Security Checks | critical |
37846 | FreeBSD : mod_ssl -- SSLCipherSuite bypass (4238151d-207a-11d9-bfe2-0090962cff2a) | Nessus | FreeBSD Local Security Checks | high |
20587 | Ubuntu 4.10 / 5.04 : apache2, libapache-mod-ssl vulnerabilities (USN-177-1) | Nessus | Ubuntu Local Security Checks | critical |
3308 | Mac OS X Multiple Vulnerabilities (Security Update 2005-009) | Nessus Network Monitor | Operating System Detection | medium |
19463 | Mac OS X Multiple Vulnerabilities (Security Update 2005-007) | Nessus | MacOS X Local Security Checks | critical |
19399 | HP-UX PHSS_33075 : Apache on HP-UX, Remote Denial of Service (DoS), Bypass of SSLCipherSuite Settings (HPSBUX01123 SSRT5931 rev.2) | Nessus | HP-UX Local Security Checks | high |
18793 | Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : apache, mod_ssl, php (SSA:2004-299-01) | Nessus | Slackware Local Security Checks | critical |
15960 | RHEL 2.1 : apache, mod_ssl (RHSA-2004:600) | Nessus | Red Hat Local Security Checks | high |
2444 | Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02) | Nessus Network Monitor | Web Clients | high |
15898 | Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02) | Nessus | MacOS X Local Security Checks | high |
15700 | RHEL 3 : httpd (RHSA-2004:562) | Nessus | Red Hat Local Security Checks | high |
15602 | Mandrake Linux Security Advisory : mod_ssl/apache2-mod_ssl (MDKSA-2004:122) | Nessus | Mandriva Local Security Checks | high |
15576 | FreeBSD : mod_ssl -- SSLCipherSuite bypass (112) | Nessus | FreeBSD Local Security Checks | high |
15545 | GLSA-200410-21 : Apache 2, mod_ssl: Bypass of SSLCipherSuite directive | Nessus | Gentoo Local Security Checks | high |
800800 | Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02) | Log Correlation Engine | Operating System Detection | medium |
800798 | Mac OS X Multiple Vulnerabilities (Security Update 2005-009) | Log Correlation Engine | Operating System Detection | high |