PT-2004-1240 · Apache · Apache-Ssl
Wietse Venema
·
Published
2004-03-03
·
Updated
2017-10-10
·
CVE-2004-0009
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Apache-SSL versions 1.3.28+1.52 and earlier
Description
The issue allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user, given that SSLVerifyClient is set to 1 or 3 and SSLFakeBasicAuth is enabled.
Recommendations
For Apache-SSL versions 1.3.28+1.52 and earlier, consider disabling SSLFakeBasicAuth until a patch is available, and review the configuration of SSLVerifyClient to ensure it is set appropriately to minimize the risk of exploitation.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache-Ssl