PT-2018-2717 · Apache+7 · Apache Http Server+7

Diego Angulo

·

Published

2018-10-08

·

Updated

2021-06-06

·

CVE-2018-17199

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:C/A:N
Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.37 and prior
Description The issue is related to the mod session module in Apache HTTP Server, where the session expiry time is checked before decoding the session. This causes the session expiry time to be ignored for mod session cookie sessions, as the expiry time is loaded when the session is decoded. The exploitation of this issue may allow a remote attacker to impact the integrity of protected data.
Recommendations For Apache HTTP Server versions 2.4.37 and prior, consider updating to a version where the mod session module correctly checks the session expiry time after decoding the session, or apply a patch that fixes this issue if available. As a temporary workaround, consider restricting access to mod session cookie sessions to minimize the risk of exploitation.

Fix

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

ALSA-2021:1809
ALT-PU-2019-1125
BDU:2019-01564
CESA-2020_1121
CESA-2021_1809
CVE-2018-17199
DLA-1647-1
DSA-4422-1
MGASA-2019-0109
OPENSUSE-SU-2019:0296-1
OPENSUSE-SU-2019_0296-1
OPENSUSE-SU-2019_0305-1
RHSA-2019:3932
RHSA-2019:3933
RHSA-2019:4126
RHSA-2020:1121
RHSA-2020_1121
RHSA-2021:1809
RHSA-2021_1809
RLSA-2021:1809
SUSE-SU-2019:0498-1
SUSE-SU-2019:0504-1
SUSE-SU-2019:0888-1
SUSE-SU-2019:0888-2
SUSE-SU-2019:0889-1
SUSE-SU-2019_0888-1
SUSE-SU-2019_0888-2
SUSE-SU-2019_0889-1
USN-3937-1

Affected Products

Alt Linux
Almalinux
Apache Http Server
Centos
Red Hat
Rocky Linux
Suse
Ubuntu