In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.
https://support.f5.com/csp/article/K59440504
https://security.netapp.com/advisory/ntap-20190423-0001/
https://access.redhat.com/errata/RHSA-2019:0980