CVE-2018-17199

Name
CVE-2018-17199
Description
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory https://httpd.apache.org/security/vulnerabilities_24.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20190125-0001/
Mailing List https://lists.debian.org/debian-lts-announce/2019/01/msg00024.html
Third Party Advisory http://www.securityfocus.com/bid/106742
Third Party Advisory https://security.gentoo.org/glsa/201903-21
Mailing List https://seclists.org/bugtraq/2019/Apr/5
Third Party Advisory https://usn.ubuntu.com/3937-1/
Third Party Advisory https://www.debian.org/security/2019/dsa-4422
Patch https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
MLIST https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E
CONFIRM https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us
REDHAT https://access.redhat.com/errata/RHSA-2019:3933
REDHAT https://access.redhat.com/errata/RHSA-2019:3935
REDHAT https://access.redhat.com/errata/RHSA-2019:3932
REDHAT https://access.redhat.com/errata/RHSA-2019:4126
CONFIRM https://www.tenable.com/security/tns-2019-09
MLIST https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* http_server >= 2.4.0 <= 2.4.37

Vulnerable and fixed packages

Source package Branch Version Maintainer Status