#VU7115 Authentication bypass


Published: 2017-06-20 | Updated: 2017-07-14

Vulnerability identifier: #VU7115

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2017-3167

CWE-ID: CWE-592

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache HTTP Server
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to usage of the ap_get_basic_auth_pw() function by third-party modules outside of the authentication phase. A remote attacker can create a specially crafted HTTP request to vulnerable web server, bypass authentication requirements and gain unauthorized access to otherwise protected information.

Mitigation
Update Apache HTTP server to version 2.2.34 or 2.4.26.

Vulnerable software versions

Apache HTTP Server: 2.2.0 - 2.4.25


CPE

External links
http://httpd.apache.org/security/vulnerabilities_22.html


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability