CVE-2019-0217 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2019-0217?

CVE-2019-0217 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-0217?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Fedoraproject Fedora, Canonical Ubuntu Linux, Redhat Enterprise Linux.

Vulnerability Description

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Http Server	>= 2.4.0, <= 2.4.38
Debian	Debian Linux	8.0
Fedoraproject	Fedora	28
Canonical	Ubuntu Linux	12.04
Redhat	Enterprise Linux	-
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Workstation	7.0
Opensuse	Leap	15.0
Netapp	Oncommand Unified Manager	-
Netapp	Clustered Data Ontap	-
Oracle	Enterprise Manager Ops Center	12.3.3
Oracle	Http Server	12.2.1.3.0
Oracle	Retail Xstore Point Of Service	7.0

Related Weaknesses (CWE)

CWE-362

References

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.htmlMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/02/5Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/107668Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:2343Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3436Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3932Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3933Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3935Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4126
https://bugzilla.redhat.com/show_bug.cgi?id=1695020Issue TrackingThird Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cd
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e10

FAQ

What is CVE-2019-0217?

CVE-2019-0217 is a vulnerability with a CVSS score of 7.5 (HIGH). In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another userna...

How severe is CVE-2019-0217?

CVE-2019-0217 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-0217?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Fedoraproject Fedora, Canonical Ubuntu Linux, Redhat Enterprise Linux.