Erki Aring

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.18 through 2.4.20 **Description** The issue allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation, when mod http2 and mod ssl are enabled. This is due to the improper recognition of the `SSLVerifyClient require` directive for HTTP/2 request authorization. The problem affects configurations that enable support for HTTP/2, where SSL client certificate validation was not enforced if configured, allowing clients unauthorized access to protected resources over HTTP/2. **Recommendations** For versions 2.4.18 through 2.4.20, consider disabling the mod http2 module until a patch is available to enforce SSL client certificate validation for HTTP/2 requests. Restrict access to protected resources over HTTP/2 to minimize the risk of exploitation. Avoid relying solely on the `SSLVerifyClient require` directive for access control in HTTP/2 configurations.