First published: Tue Sep 06 2005(Updated: )
ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Http Server | >=2.0.35<2.0.55 | |
Debian Linux | =3.1 | |
Debian Linux | =3.0 | |
Ubuntu | =4.10 | |
Ubuntu | =5.04 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2005-2700 is considered moderate, as it allows remote attackers to bypass access restrictions.
To fix CVE-2005-2700, ensure that 'SSLVerifyClient require' is properly enforced in all relevant location contexts within your configuration.
CVE-2005-2700 affects mod_ssl versions before 2.8.24 for Apache HTTP Server versions between 2.0.35 and 2.0.55.
Yes, CVE-2005-2700 affects Debian Linux versions 3.0 and 3.1 that are using the vulnerable mod_ssl.
CVE-2005-2700 allows unauthorized users to access resources intended to be restricted, leading to potential security breaches.