Race condition in apache2 (Alpine package)



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-0217
CWE-ID CWE-362
Exploitation vector Network
Public exploit N/A
Vulnerable software
 apache2 (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Race condition

EUVDB-ID: #VU18111

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-0217

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to impersonate other users.

The vulnerability exists due to a race condition within the mod_auth_digests module. A remote authenticated attacker can send a series of requests and impersonate other users under a threaded MPM.

Mitigation

Install update from vendor's website.

Vulnerable software versions

apache2 (Alpine package): 2.4.4-r0 - 2.4.38-r3

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=0342bb148db2b28dcced8a4c5b8e2840f3af9a44
https://git.alpinelinux.org/aports/commit/?id=9d23763439dabef4a81c7cc9c061b69048df9708
https://git.alpinelinux.org/aports/commit/?id=bbf41c02f848c8e5967bd857c6988274dc55f068
https://git.alpinelinux.org/aports/commit/?id=ef86fbabe1c2c14cf06d8c26c6141b650e92049d


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###