CVE-2018-1283

In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a Session header. This comes from the HTTP_SESSION variable name used by mod_session to forward its data to CGIs, since the prefix HTTP_ is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.

Affected Software

Name	Vendor	Start Version	End Version
Http_server	Apache	2.4.0 (including)	2.4.29 (including)
JBoss Core Services on RHEL 6	RedHat	jbcs-httpd24-0:1-6.jbcs.el6	*
JBoss Core Services on RHEL 6	RedHat	jbcs-httpd24-apache-commons-daemon-jsvc-1:1.1.0-3.redhat_2.jbcs.el6	*
JBoss Core Services on RHEL 6	RedHat	jbcs-httpd24-apr-0:1.6.3-31.jbcs.el6	*
JBoss Core Services on RHEL 6	RedHat	jbcs-httpd24-apr-util-0:1.6.1-24.jbcs.el6	*
JBoss Core Services on RHEL 6	RedHat	jbcs-httpd24-httpd-0:2.4.29-35.jbcs.el6	*
JBoss Core Services on RHEL 6	RedHat	jbcs-httpd24-mod_cluster-native-0:1.3.8-3.Final_redhat_2.jbcs.el6	*
JBoss Core Services on RHEL 6	RedHat	jbcs-httpd24-mod_jk-0:1.2.46-1.redhat_1.jbcs.el6	*
JBoss Core Services on RHEL 6	RedHat	jbcs-httpd24-nghttp2-0:1.29.0-9.jbcs.el6	*
JBoss Core Services on RHEL 6	RedHat	jbcs-httpd24-openssl-1:1.0.2n-14.jbcs.el6	*
JBoss Core Services on RHEL 7	RedHat	jbcs-httpd24-0:1-6.jbcs.el7	*
JBoss Core Services on RHEL 7	RedHat	jbcs-httpd24-apache-commons-daemon-jsvc-1:1.1.0-3.redhat_2.jbcs.el7	*
JBoss Core Services on RHEL 7	RedHat	jbcs-httpd24-apr-0:1.6.3-31.jbcs.el7	*
JBoss Core Services on RHEL 7	RedHat	jbcs-httpd24-apr-util-0:1.6.1-24.jbcs.el7	*
JBoss Core Services on RHEL 7	RedHat	jbcs-httpd24-httpd-0:2.4.29-35.jbcs.el7	*
JBoss Core Services on RHEL 7	RedHat	jbcs-httpd24-mod_cluster-native-0:1.3.8-3.Final_redhat_2.jbcs.el7	*
JBoss Core Services on RHEL 7	RedHat	jbcs-httpd24-mod_jk-0:1.2.46-1.redhat_1.jbcs.el7	*
JBoss Core Services on RHEL 7	RedHat	jbcs-httpd24-nghttp2-0:1.29.0-9.jbcs.el7	*
JBoss Core Services on RHEL 7	RedHat	jbcs-httpd24-openssl-1:1.0.2n-14.jbcs.el7	*
Red Hat Enterprise Linux 7	RedHat	httpd-0:2.4.6-95.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 6	RedHat	httpd24-curl-0:7.61.1-1.el6	*
Red Hat Software Collections for Red Hat Enterprise Linux 6	RedHat	httpd24-httpd-0:2.4.34-7.el6	*
Red Hat Software Collections for Red Hat Enterprise Linux 6	RedHat	httpd24-nghttp2-0:1.7.1-7.el6	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	httpd24-curl-0:7.61.1-1.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	httpd24-httpd-0:2.4.34-7.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	httpd24-nghttp2-0:1.7.1-7.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS	RedHat	httpd24-curl-0:7.61.1-1.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS	RedHat	httpd24-httpd-0:2.4.34-7.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS	RedHat	httpd24-nghttp2-0:1.7.1-7.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS	RedHat	httpd24-curl-0:7.61.1-1.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS	RedHat	httpd24-httpd-0:2.4.34-7.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS	RedHat	httpd24-nghttp2-0:1.7.1-7.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS	RedHat	httpd24-curl-0:7.61.1-1.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS	RedHat	httpd24-httpd-0:2.4.34-7.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS	RedHat	httpd24-nghttp2-0:1.7.1-7.el7	*
Text-Only JBCS	RedHat	httpd	*
Apache2	Ubuntu	artful	*
Apache2	Ubuntu	bionic	*
Apache2	Ubuntu	devel	*
Apache2	Ubuntu	esm-infra-legacy/trusty	*
Apache2	Ubuntu	esm-infra/bionic	*
Apache2	Ubuntu	esm-infra/xenial	*
Apache2	Ubuntu	trusty	*
Apache2	Ubuntu	trusty/esm	*
Apache2	Ubuntu	upstream	*
Apache2	Ubuntu	xenial	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-1283
CWE	https://cwe.mitre.org/data/definitions/.html

Affected Software

References