CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass

CVE ID

CVE-2017-3167

DESCRIPTION

It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd.

Unitrends risk assessment:  Medium, or None if current security update is applied
 

RESOLUTION

For CentOS6, Unitrends security update dated 11/06/2017 or later has httpd-2.2.15-60.el6.centos.6 and this issue was fixed in httpd-2.2.15-60.el6.centos.5 / httpd-2.2.15-60.el6_9.5
For CentOS5, the system should be migrated to CentOS6.
 

LINK TO ADVISORIES

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us