#VU18111 Race condition in Apache HTTP Server - CVE-2019-0217

Cybersecurity Help s.r.o.

Published: 2019-04-02

Vulnerability identifier: #VU18111

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-0217

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache HTTP Server
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote authenticated user to impersonate other users.

The vulnerability exists due to a race condition within the mod_auth_digests module. A remote authenticated attacker can send a series of requests and impersonate other users under a threaded MPM.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache HTTP Server: 2.4.0 - 2.4.38

External links
https://www.apache.org/dist/httpd/CHANGES_2.4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Maximo Application Suite - IoT Component

Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)

Multiple vulnerabilities in Dell EMC Unity Family

Multiple vulnerabilities in DELL Secure Connect Gateway Security

Red Hat Software Collections update for httpd24-httpd

Red Hat JBoss Core Services update Apache HTTP Server 2.4.37 (RHEL 7)

Red Hat JBoss Core Services update for Apache HTTP Server 2.4.37 (RHEL 6)

Red Hat JBoss Core Services update for Apache HTTP Server 2.4.37

Red Hat update for httpd:2.4

Red Hat update for httpd