PT-2025-29117 · Apache+11 · Apache Http Server+11

Felix Cramer

+4

·

Published

2024-11-25

·

Updated

2026-03-10

·

CVE-2025-23048

CVSS v2.0

9.4

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:N
Name of the Vulnerable Software and Affected Versions: Apache HTTP Server versions 2.4.35 through 2.4.63
Description: In certain mod ssl configurations, an access control bypass is possible for trusted clients using TLS 1.3 session resumption. This occurs when mod ssl is configured for multiple virtual hosts, each restricted to a different set of trusted client certificates, and SSLStrictSNIVHostCheck is not enabled in either virtual host.
Recommendations: Apache HTTP Server versions 2.4.35 through 2.4.63: Enable SSLStrictSNIVHostCheck in all virtual host configurations.

Exploit

Fix

Improper Access Control

Weakness Enumeration

CWE-284

Related Identifiers

ALSA-2025:15023
ALSA-2025:15095
ALSA-2025:15123
ALSA-2025_15023
ALSA-2025_15123
ALT-PU-2025-9373
ALT-PU-2025-9540
ALT-PU-2025-9924
AZL-65163
AZL-65223
BDU:2025-08976
BIT-APACHE-2025-23048
CESA-2025_15123
CVE-2025-23048
DLA-4270-1
INFSA-2025_15023
INFSA-2025_15123
MGASA-2025-0301
OESA-2025-2168
OESA-2025-2169
OESA-2025-2170
OESA-2025-2171
OESA-2025-2172
OESA-2025-2278
OPENSUSE-SU-2025:15360-1
OPENSUSE-SU-2026:20810-1
RHSA-2025:13680
RHSA-2025_15023
RHSA-2025_15123
SUSE-SU-2025:02565-1
SUSE-SU-2025:02682-1
SUSE-SU-2025:02683-1
SUSE-SU-2025:02684-1
SUSE-SU-2025:02685-1
SUSE-SU-2025_02565-1
SUSE-SU-2025_02682-1
SUSE-SU-2025_02683-1
SUSE-SU-2025_02684-1
SUSE-SU-2025_02685-1
SUSE-SU-2026:21846-1
USN-7639-1
USN-7639-2

Affected Products

Alt Linux
Almalinux
Apache Http Server
Astra Linux
Centos
Debian
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu