PT-2004-1240 · Apache · Apache-Ssl
Wietse Venema
·
Publicado
2004-03-03
·
Atualizado
2017-10-10
·
CVE-2004-0009
CVSS v2.0
7.5
Alta
| Vetor | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Apache-SSL versions 1.3.28+1.52 and earlier
Description
The issue allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user, given that SSLVerifyClient is set to 1 or 3 and SSLFakeBasicAuth is enabled.
Recommendations
For Apache-SSL versions 1.3.28+1.52 and earlier, consider disabling SSLFakeBasicAuth until a patch is available, and review the configuration of SSLVerifyClient to ensure it is set appropriately to minimize the risk of exploitation.
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Apache-Ssl