CVE-2017-3167

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache httpd versions 2.2.x through 2.2.32 Apache httpd versions 2.4.x through 2.4.25

Description The issue is related to the use of the ap get basic auth pw() function by third-party modules outside of the authentication phase, which may lead to authentication requirements being bypassed. This is due to shortcomings in the authentication procedure. An attacker could exploit this to bypass authentication requirements using external third-party modules.

Recommendations For Apache httpd versions 2.2.x through 2.2.32, update to version 2.2.33 or later. For Apache httpd versions 2.4.x through 2.4.25, update to version 2.4.26 or later.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

ALT-PU-2017-1783

BDU:2017-02153

CESA-2017_2478

CESA-2017_2479

CVE-2017-3167

DLA-1009-1

DSA-3896-1

MGASA-2018-0007

RHSA-2017:2478

RHSA-2017:2479

RHSA-2017:2483

RHSA-2017:3193

RHSA-2017:3194

RHSA-2017:3195

RHSA-2017:3476

RHSA-2017:3477

RHSA-2017_2478

RHSA-2017_2479

SUSE-SU-2017:1714-1

SUSE-SU-2017:2449-1

SUSE-SU-2017:2756-1

SUSE-SU-2017:2907-1

USN-3340-1

USN-3373-1

Affected Products

Alt Linux

Apache Http Server

Centos

Red Hat

Suse

Ubuntu

CVE-2017-3167

Weakness Enumeration

Related Identifiers

Affected Products

References · 137