vulnerability
Arch Linux: Authentication bypass (CVE-2017-3167)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Jun 20, 2017 | Jul 11, 2025 | Nov 27, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Jun 20, 2017
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
An authentication bypass flaw has been found in Apache httpd < 2.4.26, where the use of the ap_get_basic_auth_pw() function by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request.
Solution
arch-linux-upgrade-latest
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.