Public Date:
1695025: CVE-2019-0215 httpd: mod_ssl: access control bypass when using per-location client certification authentication

The MITRE CVE dictionary describes this issue as:

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.

Find out more about CVE-2019-0215 from the MITRE CVE dictionary dictionary and NIST NVD.


This flaw can be exploited for httpd configurations where per-location client certificates are enabled and TLS 1.3 is used.

The attacker can remotely exploit this httpd flaw (AV:N). However the server had to be configured to use per-location client certificate and the attacker needs to have access to the authenticating client certificate (AC:H). No other significant privileges are required by the attacker (PR:L). The result of the attack is bypass of the configured access control restrictions (CI:H). This however does not affect the system beyond the web server itself (S:U).

CVSS v3 metrics

CVSS3 Base Score 6.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 8 (httpd:2.4) RHSA-2019:0980 2019-05-07

Affected Packages State

Platform Package State
Red Hat Virtualization 4 rhvm-appliance Not affected
Red Hat Software Collections for Red Hat Enterprise Linux httpd24-httpd Not affected
Red Hat JBoss EWS 2 httpd Not affected
Red Hat JBoss Core Services 1 httpd Not affected
Red Hat Enterprise Linux 7 httpd Not affected
Red Hat Enterprise Linux 6 httpd Not affected
Red Hat Enterprise Linux 5 httpd Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation