PT-2018-2717 · Apache+7 · Apache Http Server+7

Diego Angulo

·

Publicado

2018-10-08

·

Atualizado

2021-06-06

·

CVE-2018-17199

CVSS v2.0

7.8

Alta

VetorAV:N/AC:L/Au:N/C:N/I:C/A:N
Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.37 and prior
Description The issue is related to the mod session module in Apache HTTP Server, where the session expiry time is checked before decoding the session. This causes the session expiry time to be ignored for mod session cookie sessions, as the expiry time is loaded when the session is decoded. The exploitation of this issue may allow a remote attacker to impact the integrity of protected data.
Recommendations For Apache HTTP Server versions 2.4.37 and prior, consider updating to a version where the mod session module correctly checks the session expiry time after decoding the session, or apply a patch that fixes this issue if available. As a temporary workaround, consider restricting access to mod session cookie sessions to minimize the risk of exploitation.

Correção

Session Fixation

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-384

Identificadores relacionados

ALSA-2021:1809
ALT-PU-2019-1125
BDU:2019-01564
CESA-2020_1121
CESA-2021_1809
CVE-2018-17199
DLA-1647-1
DSA-4422-1
MGASA-2019-0109
OPENSUSE-SU-2019:0296-1
OPENSUSE-SU-2019_0296-1
OPENSUSE-SU-2019_0305-1
RHSA-2019:3932
RHSA-2019:3933
RHSA-2019:4126
RHSA-2020:1121
RHSA-2020_1121
RHSA-2021:1809
RHSA-2021_1809
RLSA-2021:1809
SUSE-SU-2019:0498-1
SUSE-SU-2019:0504-1
SUSE-SU-2019:0888-1
SUSE-SU-2019:0888-2
SUSE-SU-2019:0889-1
SUSE-SU-2019_0888-1
SUSE-SU-2019_0888-2
SUSE-SU-2019_0889-1
USN-3937-1

Produtos afetados

Alt Linux
Almalinux
Apache Http Server
Centos
Red Hat
Rocky Linux
Suse
Ubuntu