Vulnerability identifier: #VU7115
Vulnerability risk: Medium
Exploitation vector: Network
Exploit availability: No
Vendor: Apache Foundation
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to usage of the ap_get_basic_auth_pw() function by third-party modules outside of the authentication phase. A remote attacker can create a specially crafted HTTP request to vulnerable web server, bypass authentication requirements and gain unauthorized access to otherwise protected information.
Update Apache HTTP server to version 2.2.34 or 2.4.26.
Vulnerable software versions
Apache HTTP Server: 2.2.0 - 2.4.25
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?