CVE-2005-2700 — HIGH (10.0)

Q: How severe is CVE-2005-2700?

CVE-2005-2700 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2005-2700?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Canonical Ubuntu Linux.

Vulnerability Description

ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.

CVSS Score

10.0

HIGH

AV:N/AC:L/Au:N/C:C/I:C/A:C

Confidentiality

COMPLETE

Integrity

COMPLETE

Availability

COMPLETE

Affected Products

Vendor	Product	Versions
Apache	Http Server	>= 2.0.35, < 2.0.55
Debian	Debian Linux	3.0
Canonical	Ubuntu Linux	4.10

References

http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.htmlBroken Link
http://marc.info/?l=apache-modssl&m=112569517603897&w=2Mailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=112604765028607&w=2Issue TrackingMailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=112870296926652&w=2Issue TrackingMailing ListThird Party Advisory
http://people.apache.org/~jorton/CAN-2005-2700.diffVendor Advisory
http://secunia.com/advisories/16700Not Applicable
http://secunia.com/advisories/16705Not Applicable
http://secunia.com/advisories/16714Not Applicable
http://secunia.com/advisories/16743Not Applicable
http://secunia.com/advisories/16746Not Applicable
http://secunia.com/advisories/16748Not Applicable
http://secunia.com/advisories/16753Not Applicable
http://secunia.com/advisories/16754Not Applicable
http://secunia.com/advisories/16769Not Applicable
http://secunia.com/advisories/16771Not Applicable

FAQ

What is CVE-2005-2700?

CVE-2005-2700 is a vulnerability with a CVSS score of 10.0 (HIGH). ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location cont...

How severe is CVE-2005-2700?

CVE-2005-2700 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2005-2700?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Canonical Ubuntu Linux.