FreeBSD : apache24 -- X509 Client certificate based authentication can be bypassed when HTTP/2 is used (e9d1e040-42c9-11e6-9608-20cf30e32f6d)
Medium Nessus Plugin ID 91949
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionApache Software Foundation reports :
The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509 client certificate correctly when experimental module for the HTTP/2 protocol is used to access a resource.
The net result is that a resource that should require a valid client certificate in order to get access can be accessed without that credential.
SolutionUpdate the affected package.