vulnerability
Oracle Linux: CVE-2018-1283: ELSA-2020-3958: httpd security, bug fix, and enhancement update (MODERATE) (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:H/Au:N/C:P/I:P/A:N) | 2018-03-21 | 2020-10-13 | 2024-11-27 |
Severity
4
CVSS
(AV:N/AC:H/Au:N/C:P/I:P/A:N)
Published
2018-03-21
Added
2020-10-13
Modified
2024-11-27
Description
In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.
It has been discovered that the mod_session module of Apache HTTP Server (httpd), through version 2.4.29, has an improper input validation flaw in the way it handles HTTP session headers in some configurations. A remote attacker may influence their content by using a "Session" header.
It has been discovered that the mod_session module of Apache HTTP Server (httpd), through version 2.4.29, has an improper input validation flaw in the way it handles HTTP session headers in some configurations. A remote attacker may influence their content by using a "Session" header.
Solution(s)
oracle-linux-upgrade-httpdoracle-linux-upgrade-httpd-develoracle-linux-upgrade-httpd-manualoracle-linux-upgrade-httpd-toolsoracle-linux-upgrade-mod-ldaporacle-linux-upgrade-mod-proxy-htmloracle-linux-upgrade-mod-sessionoracle-linux-upgrade-mod-ssl
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.