Table of Contents
This flaw can be exploited for httpd configurations where per-location client certificates are enabled and TLS 1.3 is used.
The attacker can remotely exploit this httpd flaw (AV:N). However the server had to be configured to use per-location client certificate and the attacker needs to have access to the authenticating client certificate (AC:H). No other significant privileges are required by the attacker (PR:L). The result of the attack is bypass of the configured access control restrictions (CI:H). This however does not affect the system beyond the web server itself (S:U).
CVSS v3 metrics
|CVSS3 Base Score||6.8|
|CVSS3 Base Metrics||CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N|
Red Hat Security Errata
|Red Hat Enterprise Linux 8 (httpd:2.4)||RHSA-2019:0980||2019-05-07|
CVE description copyright © 2017, The MITRE Corporation