CVE-2019-0215 - Improper Access Control

Severity

60%

Complexity

68%

Confidentiality

106%

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.

CVSS 3.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 6. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P).

Overview

First reported 5 years ago

2019-04-08 20:29:00

Last updated 5 years ago

2019-05-14 03:29:00

Affected Software

Apache Software Foundation HTTP Server 2.4.37

2.4.37

Apache Software Foundation HTTP Server 2.4.38

2.4.38

Fedora 29

29

Fedora 30

30

References

[oss-security] 20190401 CVE-2019-0215: mod_ssl access control bypass

Mailing List, Mitigation, Third Party Advisory

107667

Third Party Advisory, VDB Entry

RHSA-2019:0980

https://httpd.apache.org/security/vulnerabilities_24.html

Vendor Advisory

[httpd-dev] 20190804 Re: svn commit: r1856807 - /httpd/test/framework/trunk/t/security/CVE-2019-0215.t

[httpd-cvs] 20190402 svn commit: r1856807 - /httpd/test/framework/trunk/t/security/CVE-2019-0215.t

Exploit, Mailing List, Vendor Advisory

[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-dev] 20190806 Re: svn commit: r1856807 - /httpd/test/framework/trunk/t/security/CVE-2019-0215.t

[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20190806 svn commit: r1864463 - /httpd/test/framework/trunk/t/security/CVE-2019-0215.t

[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

FEDORA-2019-a4ed7400f4

FEDORA-2019-119b14075a

Third Party Advisory

FEDORA-2019-cf7695b470

Third Party Advisory

https://security.netapp.com/advisory/ntap-20190423-0001/

Third Party Advisory

https://support.f5.com/csp/article/K59440504

Third Party Advisory

N/A

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.