CVE-2018-17199

Published: 30 January 2019

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
Upstream
Released (2.4.38-1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.4.29-1ubuntu4.6)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.4.18-2ubuntu3.10)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.4.7-1ubuntu4.22)
Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1851409 (2.4)