CVE-2019-0217

Published: 02 April 2019

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.4.29-1ubuntu4.6)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.4.18-2ubuntu3.10)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.4.7-1ubuntu4.22)
Patches:
Upstream: https://github.com/apache/httpd/commit/44b3ddc560c490c60600998fa2bf59b142d08e05