Уязвимость CVE-2019-0217: Информация

Описание

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

Важность: HIGH (7,5) Вектор: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-0217
Опубликовано: 9 апреля 2019 г.
Изменено: 7 ноября 2023 г.
Идентификатор типа ошибки: CWE-362

Исправленные пакеты

Имя пакета
Ветка
Исправлено в версии
Версия в репозитории
Errata ID
№ Задания
Состояние
apache2sisyphus2.4.39-alt12.4.59-alt1ALT-PU-2019-1580-1226417Исправлено
apache2p102.4.39-alt12.4.59-alt1ALT-PU-2019-1580-1226417Исправлено
apache2p92.4.39-alt12.4.58-alt1ALT-PU-2019-1580-1226417Исправлено
apache2p82.4.39-alt12.4.43-alt1ALT-PU-2019-1585-1226418Исправлено
apache2c10f12.4.39-alt12.4.59-alt1ALT-PU-2019-1580-1226417Исправлено
apache2c9f22.4.39-alt12.4.59-alt1ALT-PU-2019-1580-1226417Исправлено
apache2p112.4.39-alt12.4.59-alt1ALT-PU-2019-1580-1226417Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка
Ресурс
DSA-4422
  • Third Party Advisory
USN-3937-1
  • Third Party Advisory
20190403 [SECURITY] [DSA 4422-1] apache2 security update
  • Issue Tracking
  • Mailing List
  • Third Party Advisory
[debian-lts-announce] 20190403 [SECURITY] [DLA 1748-1] apache2 security update
  • Mailing List
  • Third Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.html
  • Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1695020
  • Issue Tracking
  • Third Party Advisory
107668
  • Third Party Advisory
  • VDB Entry
[oss-security] 20190401 CVE-2019-0217: mod_auth_digest access control bypass
  • Mailing List
  • Third Party Advisory
USN-3937-2
  • Third Party Advisory
openSUSE-SU-2019:1190
  • Mailing List
  • Third Party Advisory
openSUSE-SU-2019:1209
  • Mailing List
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20190423-0001/
  • Third Party Advisory
openSUSE-SU-2019:1258
  • Mailing List
  • Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
  • Patch
  • Third Party Advisory
RHSA-2019:2343
  • Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us
  • Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
  • Broken Link
RHSA-2019:3436
  • Third Party Advisory
RHSA-2019:3935
  • Third Party Advisory
RHSA-2019:3933
  • Third Party Advisory
RHSA-2019:3932
  • Third Party Advisory
RHSA-2019:4126
    N/A
      [httpd-dev] 20190402 re: svn commit: r33393 - /release/httpd/CHANGES_2.4
        FEDORA-2019-119b14075a
          EDORA-2019-cf7695b470
            FEDORA-2019-a4ed7400f4
              [httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
                [httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
                  [httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
                    [httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
                      [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
                        [httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/
                          [httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
                            [httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
                              [httpd-cvs] 20210330 svn commit: r1888194 [12/13] - /httpd/site/trunk/content/security/json/
                                [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
                                  [httpd-cvs] 20210330 svn commit: r1073149 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
                                    [httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

                                        1. Конфигурация 1

                                          cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
                                          Start including
                                          2.4.0
                                          End including
                                          2.4.38

                                          Конфигурация 2

                                          cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
                                          cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

                                          Конфигурация 3

                                          cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
                                          cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
                                          cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

                                          Конфигурация 4

                                          cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
                                          cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
                                          cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
                                          cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
                                          cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

                                          Конфигурация 5

                                          cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux:-:*:*:*:*:*:*:*

                                          Конфигурация 6

                                          cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
                                          cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*

                                          Конфигурация 7

                                          cpe:2.3:o:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
                                          cpe:2.3:a:netapp:oncommand_unified_manager:-:*:*:*:*:7-mode:*:*

                                          Конфигурация 8

                                          cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
                                          cpe:2.3:a:oracle:retail_xstore_point_of_service:7.0:*:*:*:*:*:*:*
                                          cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*
                                          cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
                                          cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
                                      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                                      Версия: v24.5.3
                                      Наверх