CVE-2018-1283

Impact:
Moderate
Public Date:
2018-03-21
CWE:
CWE-20
Bugzilla:
1560395: CVE-2018-1283 httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications
It has been discovered that the mod_session module of Apache HTTP Server (httpd), through version 2.4.29, has an improper input validation flaw in the way it handles HTTP session headers in some configurations. A remote attacker may influence their content by using a "Session" header.

Find out more about CVE-2018-1283 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include mod_session module.

CVSS v3 metrics

CVSS3 Base Score 4.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact Low
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 6 (httpd24-httpd) RHSA-2018:3558 2018-11-13
Red Hat Software Collections for Red Hat Enterprise Linux 7 (httpd24-httpd) RHSA-2018:3558 2018-11-13

Affected Packages State

Platform Package State
Red Hat Mobile Application Platform On-Premise 4 rhmap-httpd-docker Not affected
Red Hat JBoss Web Server 3 httpd Not affected
Red Hat JBoss EWS 2 httpd Not affected
Red Hat JBoss EAP 6 httpd Not affected
Red Hat JBoss EAP 5 httpd Not affected
Red Hat JBoss Core Services 1 httpd Affected
Red Hat Enterprise Linux 7 httpd Affected
Red Hat Enterprise Linux 6 httpd Not affected
Red Hat Enterprise Linux 5 httpd Not affected

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.