Home

CVE-2018-17199

Description

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

Risk Information

Base Score
7.5
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
Exploitation Probability
10.294

Associated Vulnerability

VulnerabilityOS Platform
Update Apache to version 2.4.38Windows
Vulnerabilities CVE-2018-17199 are fixed in Apache 2.4.38Windows
Apache HTTP server (USN-3937-1) apache2-bin_2.4.29-1ubuntu4.6_i386.debLinux
Apache HTTP server (USN-3937-1) apache2-bin_2.4.29-1ubuntu4.6_amd64.debLinux
Apache HTTP server (USN-3937-1) apache2-bin_2.4.34-1ubuntu2.1_i386.debLinux
Apache HTTP server (USN-3937-1) apache2-bin_2.4.34-1ubuntu2.1_amd64.debLinux
Apache HTTP server (USN-3937-1) apache2-bin_2.4.7-1ubuntu4.22_i386.debLinux
Apache HTTP server (USN-3937-1) apache2-bin_2.4.7-1ubuntu4.22_amd64.debLinux
Apache HTTP server (USN-3937-1) apache2-bin_2.4.18-2ubuntu3.10_i386.debLinux
Apache HTTP server (USN-3937-1) apache2-bin_2.4.18-2ubuntu3.10_amd64.debLinux
apache2 security update(DSA-4422-1) apache2_2.4.25-3+deb9u7_i386.debLinux
apache2 security update(DSA-4422-1) apache2_2.4.25-3+deb9u7_amd64.debLinux
(RHSA-2020:1121) httpd security, bug fix, and enhancement update httpd-2.4.6-93.el7.x86_64.rpmLinux
(RHSA-2020:1121) httpd security, bug fix, and enhancement update httpd-devel-2.4.6-93.el7.x86_64.rpmLinux
(RHSA-2020:1121) httpd security, bug fix, and enhancement update httpd-manual-2.4.6-93.el7.noarch.rpmLinux
(RHSA-2020:1121) httpd security, bug fix, and enhancement update httpd-tools-2.4.6-93.el7.x86_64.rpmLinux
(RHSA-2020:1121) httpd security, bug fix, and enhancement update mod_ldap-2.4.6-93.el7.x86_64.rpmLinux
(RHSA-2020:1121) httpd security, bug fix, and enhancement update mod_proxy_html-2.4.6-93.el7.x86_64.rpmLinux
(RHSA-2020:1121) httpd security, bug fix, and enhancement update mod_session-2.4.6-93.el7.x86_64.rpmLinux
(RHSA-2020:1121) httpd security, bug fix, and enhancement update mod_ssl-2.4.6-93.el7.x86_64.rpmLinux
Update Apache to version 2.4.38 (For Linux)Linux
(RHSA-2021:1809) httpd:2.4 security, bug fix, and enhancement update httpd-2.4.37-39.module+el8.4.0+9658+b87b2deb.x86_64.rpmLinux
(RHSA-2021:1809) httpd:2.4 security, bug fix, and enhancement update httpd-debugsource-2.4.37-39.module+el8.4.0+9658+b87b2deb.x86_64.rpmLinux
(RHSA-2021:1809) httpd:2.4 security, bug fix, and enhancement update httpd-devel-2.4.37-39.module+el8.4.0+9658+b87b2deb.x86_64.rpmLinux
(RHSA-2021:1809) httpd:2.4 security, bug fix, and enhancement update httpd-filesystem-2.4.37-39.module+el8.4.0+9658+b87b2deb.noarch.rpmLinux
(RHSA-2021:1809) httpd:2.4 security, bug fix, and enhancement update httpd-manual-2.4.37-39.module+el8.4.0+9658+b87b2deb.noarch.rpmLinux
(RHSA-2021:1809) httpd:2.4 security, bug fix, and enhancement update httpd-tools-2.4.37-39.module+el8.4.0+9658+b87b2deb.x86_64.rpmLinux
(RHSA-2021:1809) httpd:2.4 security, bug fix, and enhancement update mod_http2-1.15.7-3.module+el8.4.0+8625+d397f3da.x86_64.rpmLinux
(RHSA-2021:1809) httpd:2.4 security, bug fix, and enhancement update mod_http2-debugsource-1.15.7-3.module+el8.4.0+8625+d397f3da.x86_64.rpmLinux
(RHSA-2021:1809) httpd:2.4 security, bug fix, and enhancement update mod_ldap-2.4.37-39.module+el8.4.0+9658+b87b2deb.x86_64.rpmLinux
(RHSA-2021:1809) httpd:2.4 security, bug fix, and enhancement update mod_proxy_html-2.4.37-39.module+el8.4.0+9658+b87b2deb.x86_64.rpmLinux
(RHSA-2021:1809) httpd:2.4 security, bug fix, and enhancement update mod_session-2.4.37-39.module+el8.4.0+9658+b87b2deb.x86_64.rpmLinux
(RHSA-2021:1809) httpd:2.4 security, bug fix, and enhancement update mod_ssl-2.4.37-39.module+el8.4.0+9658+b87b2deb.x86_64.rpmLinux
Session Fixation Vulnerability (CVE-2018-17199)NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234