Main Vulnerability Database Vulnerabilities #VU7115

#VU7115 Authentication bypass in Apache HTTP Server - CVE-2017-3167

Published: June 20, 2017 / Updated: July 14, 2017

Vulnerability identifier: #VU7115

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-3167

CWE-ID: CWE-592

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache HTTP Server

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to usage of the ap_get_basic_auth_pw() function by third-party modules outside of the authentication phase. A remote attacker can create a specially crafted HTTP request to vulnerable web server, bypass authentication requirements and gain unauthorized access to otherwise protected information.

Remediation

Update Apache HTTP server to version 2.2.34 or 2.4.26.

External links

https://httpd.apache.org/security/vulnerabilities_22.html

#VU7115 Authentication bypass in Apache HTTP Server - CVE-2017-3167

Description

Remediation

External links

Please verify you're human