CVE-2019-0215
Public on 2019-04-04
Modified on 2019-08-06
Description
A flaw was found in Apache HTTP Server 2.4 (releases 2.4.37 and 2.4.38). A bug in mod_ssl, when using per-location client certificate verification with TLSv1.3, allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions. An attacker could perform various unauthorized actions after bypassing the restrictions. The highest threat from this vulnerability is to data confidentiality and integrity.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | httpd | 2019-04-04 | ALAS2-2019-1189 | Fixed |
| Amazon Linux 1 | httpd24 | 2019-04-05 | ALAS-2019-1189 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.8 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
| NVD | CVSSv2 | 6.0 | AV:N/AC:M/Au:S/C:P/I:P/A:P |
| NVD | CVSSv3 | 7.5 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |