CVE-2017-3167 — CRITICAL (9.8)

Q: How severe is CVE-2017-3167?

CVE-2017-3167 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2017-3167?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Netapp Clustered Data Ontap, Netapp Oncommand Unified Manager, Netapp Storagegrid, Redhat Enterprise Linux Desktop.

Vulnerability Description

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Http Server	>= 2.2.0, < 2.2.33
Netapp	Clustered Data Ontap	-
Netapp	Oncommand Unified Manager	-
Netapp	Storagegrid	-
Redhat	Enterprise Linux Desktop	6.0
Redhat	Enterprise Linux Eus	6.7
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Server Aus	7.2
Redhat	Enterprise Linux Server Tus	7.2
Redhat	Enterprise Linux Workstation	6.0
Redhat	Jboss Core Services	1.0
Redhat	Enterprise Linux	6.0
Apple	Mac Os X	< 10.13.1
Debian	Debian Linux	8.0
Oracle	Secure Global Desktop	5.3

Related Weaknesses (CWE)

CWE-287

References

http://www.debian.org/security/2017/dsa-3896Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlPatchThird Party Advisory
http://www.securityfocus.com/bid/99135Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038711Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:2478Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2479Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2483Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3193Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3194Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3195Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3475Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3476Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3477Third Party Advisory
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cd
https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3

FAQ

What is CVE-2017-3167?

CVE-2017-3167 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being ...

How severe is CVE-2017-3167?

CVE-2017-3167 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-3167?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Netapp Clustered Data Ontap, Netapp Oncommand Unified Manager, Netapp Storagegrid, Redhat Enterprise Linux Desktop.