Security restrictions bypass in Apache HTTP Server - CVE-2018-17199
Published: January 23, 2019 / Updated: January 24, 2019
Vulnerability identifier: #VU17178
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-17199
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache HTTP Server
Apache HTTP Server
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to mod_session checks the session expiry time before decoding the session. A remote attacker сan cause session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded and reuse old session credentials or session IDs, which the attacker could use to access web pages previously accessed by a targeted user.
The weakness exists due to mod_session checks the session expiry time before decoding the session. A remote attacker сan cause session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded and reuse old session credentials or session IDs, which the attacker could use to access web pages previously accessed by a targeted user.
How to mitigate CVE-2018-17199
Update to version 2.4.38.