CVE-2019-0217

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

References

https://www.debian.org/security/2019/dsa-4422

https://usn.ubuntu.com/3937-1/

https://seclists.org/bugtraq/2019/Apr/5

https://lists.fedoraproject.org/archives/list/[email protected]/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT/

https://lists.fedoraproject.org/archives/list/[email protected]/message/EZRMTEIGZKYFNGIDOTXN3GNEJTLVCYU7/

https://lists.debian.org/debian-lts-announce/2019/04/msg00008.html

https://lists.apache.org/thread.html/[email protected]%3Cdev.httpd.apache.org%3E

https://httpd.apache.org/security/vulnerabilities_24.html

https://bugzilla.redhat.com/show_bug.cgi?id=1695020

http://www.securityfocus.com/bid/107668

http://www.openwall.com/lists/oss-security/2019/04/02/5

https://usn.ubuntu.com/3937-2/

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.html

https://security.netapp.com/advisory/ntap-20190423-0001/

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/ALIR5S3O7NRHEGFMIDMUSYQIZOE4TJJN/

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://access.redhat.com/errata/RHSA-2019:2343

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://access.redhat.com/errata/RHSA-2019:3436

https://access.redhat.com/errata/RHSA-2019:3935

https://access.redhat.com/errata/RHSA-2019:3933

https://access.redhat.com/errata/RHSA-2019:3932

https://access.redhat.com/errata/RHSA-2019:4126

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://www.oracle.com/security-alerts/cpuapr2020.html

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

Details

Source: MITRE

Published: 2019-04-08

Updated: 2021-06-06

Type: CWE-362

Risk Information

CVSS v2

Base Score: 6

Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 6.8

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1.6

Severity: HIGH

Tenable Plugins

View all (37 total)

IDNameProductFamilySeverity
145654CentOS 8 : httpd:2.4 (CESA-2019:3436)NessusCentOS Local Security Checks
high
144232Virtuozzo 7 : httpd / httpd-devel / httpd-manual / httpd-tools / etc (VZLSA-2019-2343)NessusVirtuozzo Local Security Checks
high
132454NewStart CGSL CORE 5.05 / MAIN 5.05 : httpd Multiple Vulnerabilities (NS-SA-2019-0250)NessusNewStart CGSL Local Security Checks
high
131216RHEL 7 : JBoss Core Services (RHSA-2019:3933) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering) (Resource Loop)NessusRed Hat Local Security Checks
high
131215RHEL 6 : JBoss Core Services (RHSA-2019:3932) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering) (Resource Loop)NessusRed Hat Local Security Checks
high
130540RHEL 8 : httpd:2.4 (RHSA-2019:3436)NessusRed Hat Local Security Checks
high
129922NewStart CGSL CORE 5.04 / MAIN 5.04 : httpd Multiple Vulnerabilities (NS-SA-2019-0202)NessusNewStart CGSL Local Security Checks
high
129017CentOS 7 : httpd (CESA-2019:2343)NessusCentOS Local Security Checks
high
128223Scientific Linux Security Update : httpd on SL7.x x86_64 (20190806)NessusScientific Linux Local Security Checks
high
127715RHEL 7 : httpd (RHSA-2019:2343)NessusRed Hat Local Security Checks
high
126777Oracle Enterprise Manager Ops Center (Jul 2019 CPU)NessusMisc.
critical
125583EulerOS Virtualization for ARM 64 3.0.2.0 : httpd (EulerOS-SA-2019-1631)NessusHuawei Local Security Checks
high
125507EulerOS 2.0 SP3 : httpd (EulerOS-SA-2019-1580)NessusHuawei Local Security Checks
high
124922EulerOS Virtualization 3.0.1.0 : httpd (EulerOS-SA-2019-1419)NessusHuawei Local Security Checks
critical
124870Photon OS 1.0: Httpd PHSA-2019-1.0-0230NessusPhotonOS Local Security Checks
high
124732EulerOS Virtualization 2.5.3 : httpd (EulerOS-SA-2019-1354)NessusHuawei Local Security Checks
high
124680Photon OS 2.0: Httpd PHSA-2019-2.0-0157NessusPhotonOS Local Security Checks
high
124541Fedora 30 : httpd (2019-cf7695b470)NessusFedora Local Security Checks
high
124391EulerOS 2.0 SP5 : httpd (EulerOS-SA-2019-1295)NessusHuawei Local Security Checks
high
124389EulerOS 2.0 SP2 : httpd (EulerOS-SA-2019-1293)NessusHuawei Local Security Checks
high
124264openSUSE Security Update : apache2 (openSUSE-2019-1258)NessusSuSE Local Security Checks
high
124125Amazon Linux 2 : httpd (ALAS-2019-1189)NessusAmazon Linux Local Security Checks
high
124102openSUSE Security Update : apache2 (openSUSE-2019-1209)NessusSuSE Local Security Checks
high
124017openSUSE Security Update : apache2 (openSUSE-2019-1190)NessusSuSE Local Security Checks
high
123958Amazon Linux AMI : httpd24 (ALAS-2019-1189)NessusAmazon Linux Local Security Checks
high
98530Apache 2.4.x < 2.4.39 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
high
700509Apache HTTP Server < 2.4.39 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
high
123823SUSE SLES12 Security Update : apache2 (SUSE-SU-2019:0889-1)NessusSuSE Local Security Checks
high
123822SUSE SLES12 Security Update : apache2 (SUSE-SU-2019:0888-1)NessusSuSE Local Security Checks
high
123801Fedora 29 : httpd (2019-119b14075a)NessusFedora Local Security Checks
high
123787Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : apache2 vulnerabilities (USN-3937-1)NessusUbuntu Local Security Checks
high
123785SUSE SLES12 Security Update : apache2 (SUSE-SU-2019:0878-1)NessusSuSE Local Security Checks
high
123782SUSE SLED15 / SLES15 Security Update : apache2 (SUSE-SU-2019:0873-1)NessusSuSE Local Security Checks
high
123691Debian DSA-4422-1 : apache2 - security updateNessusDebian Local Security Checks
high
123689Debian DLA-1748-1 : apache2 security updateNessusDebian Local Security Checks
high
123644FreeBSD : Apache -- Multiple vulnerabilities (cf2105c6-551b-11e9-b95c-b499baebfeaf)NessusFreeBSD Local Security Checks
high
123642Apache 2.4.x < 2.4.39 Multiple VulnerabilitiesNessusWeb Servers
high