CVE-2017-3167

CVE-2017-3167

Name

CVE-2017-3167

Description

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Third Party Advisory	http://www.debian.org/security/2017/dsa-3896
Patch	http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Third Party Advisory	http://www.securityfocus.com/bid/99135
Third Party Advisory	http://www.securitytracker.com/id/1038711
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:2478
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:2479
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:2483
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3193
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3194
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3195
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3475
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3476
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3477
security@apache.org	https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4%40%3Cdev.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
Third Party Advisory	https://security.gentoo.org/glsa/201710-32
Third Party Advisory	https://security.netapp.com/advisory/ntap-20180601-0002/
Third Party Advisory	https://support.apple.com/HT208221
Third Party Advisory	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03908en_us
Third Party Advisory	https://www.nomachine.com/SU08O00185
Third Party Advisory	https://www.tenable.com/security/tns-2019-09
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2024/Sep/22

Type

URI

Third Party Advisory

http://www.debian.org/security/2017/dsa-3896

Patch

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Third Party Advisory

http://www.securityfocus.com/bid/99135

Third Party Advisory

http://www.securitytracker.com/id/1038711

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2478

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2479

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2483

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3193

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3194

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3195

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3475

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3476

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3477

security@apache.org

https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4%40%3Cdev.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://security.gentoo.org/glsa/201710-32

Third Party Advisory

https://security.netapp.com/advisory/ntap-20180601-0002/

Third Party Advisory

https://support.apple.com/HT208221

Third Party Advisory

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03908en_us

Third Party Advisory

https://www.nomachine.com/SU08O00185

Third Party Advisory

https://www.tenable.com/security/tns-2019-09

af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/fulldisclosure/2024/Sep/22

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:apache:http_server::::::::`	http_server	>= 2.2.0	< 2.2.33
`cpe:2.3:a:apache:http_server::::::::`	http_server	>= 2.4.0	< 2.4.26

CPE URI

Source package

Min version

Max version

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

http_server

>= 2.2.0

< 2.2.33

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

http_server

>= 2.4.0

< 2.4.26

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
apache2	edge-main	2.4.26-r0	None	fixed
apache2	3.22-main	2.4.26-r0	None	fixed
apache2	3.21-main	2.4.26-r0	None	fixed
apache2	3.20-main	2.4.26-r0	None	fixed
apache2	3.19-main	2.4.26-r0	None	fixed
apache2	3.18-main	2.4.26-r0	None	fixed
apache2	3.17-main	2.4.26-r0	None	fixed
apache2	3.12-main	2.4.26-r0	None	fixed
apache2	3.11-main	2.4.26-r0	None	fixed
apache2	3.10-main	2.4.26-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

apache2

edge-main

2.4.26-r0

None

fixed

apache2

3.22-main