Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2018-1283

In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.

Related bugs and status

CVE-2018-1283 (Candidate) is related to these bugs:

Bug #1770242: Please merge from debian 2.4.33

Summary				In	Importance	Status
	1770242	Please merge from debian 2.4.33		apache2 (Ubuntu)	Low	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2018032...
CONFIRM: https://httpd.apache.o...
SECTRACK: 1040568
BID: 103520
DEBIAN: DSA-4164
UBUNTU: USN-3627-1
UBUNTU: USN-3627-2
CONFIRM: https://security.netap...
REDHAT: RHSA-2018:3558
CONFIRM: https://support.hpe.co...
REDHAT: RHSA-2019:0366
REDHAT: RHSA-2019:0367
MLIST: [httpd-cvs] 20190815 s...
MLIST: [httpd-cvs] 20190815 s...
CONFIRM: https://www.tenable.co...
MLIST: [httpd-cvs] 20200401 s...
MLIST: [httpd-cvs] 20200401 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210330 s...
MLIST: [httpd-cvs] 20210603 s...
MLIST: [httpd-cvs] 20210606 s...