First published: Mon Mar 26 2018(Updated: )
Apache HTTP Server (httpd) through version 2.4.29 has a vulnerability in the handling of HTTP session headers in mod_session. When mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. Upstream Advisory: <a href="https://httpd.apache.org/security/vulnerabilities_24.html">https://httpd.apache.org/security/vulnerabilities_24.html</a> Upstream Patch: <a href="https://svn.apache.org/viewvc?view=revision&sortby=log&revision=1824477">https://svn.apache.org/viewvc?view=revision&sortby=log&revision=1824477</a>
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/httpd | <2.4.30 | 2.4.30 |
Apache HTTP server | >=2.4.0<=2.4.29 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =17.10 | |
Canonical Ubuntu Linux | =18.04 | |
Netapp Santricity Cloud Connector | ||
Netapp Storage Automation Store | ||
Netapp Storagegrid | ||
NetApp Clustered Data ONTAP | ||
Redhat Enterprise Linux | =6.0 | |
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =7.4 | |
Redhat Enterprise Linux | =7.5 | |
Redhat Enterprise Linux | =7.6 | |
debian/apache2 | 2.4.62-1~deb11u1 2.4.62-1~deb11u2 2.4.62-1~deb12u2 2.4.62-3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-1283 is a vulnerability in Apache httpd that allows a remote user to influence the content of CGI applications by using a specific header.
CVE-2018-1283 has a severity rating of 5.3, which is considered medium.
Apache httpd versions 2.4.0 to 2.4.29 are affected by CVE-2018-1283.
To fix CVE-2018-1283, it is recommended to upgrade to Apache httpd version 2.4.30 or later.
You can find more information about CVE-2018-1283 on the Apache httpd website and the Red Hat bugzilla.