ssl_engine_kernel.c in mod_ssl before 2.8.24, when using SSLVerifyClient optional in the global virtual host configuration, does not properly enforce SSLVerifyClient require in a per-location context, which allows remote attackers to bypass intended access restrictions.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Http_server | Apache | 2.0.35 | * |