CVE Vulnerabilities

CVE-2018-1283

Published: Mar 26, 2018 | Modified: Nov 07, 2023
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
3.5 LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
RedHat/V2
RedHat/V3
4.8 MODERATE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Ubuntu
LOW

In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a Session header. This comes from the HTTP_SESSION variable name used by mod_session to forward its data to CGIs, since the prefix HTTP_ is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.

Affected Software

Name Vendor Start Version End Version
Http_server Apache 2.4.0 (including) 2.4.29 (including)
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-0:1-6.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-apache-commons-daemon-jsvc-1:1.1.0-3.redhat_2.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-apr-0:1.6.3-31.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-apr-util-0:1.6.1-24.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-httpd-0:2.4.29-35.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-mod_cluster-native-0:1.3.8-3.Final_redhat_2.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-mod_jk-0:1.2.46-1.redhat_1.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-nghttp2-0:1.29.0-9.jbcs.el6 *
JBoss Core Services on RHEL 6 RedHat jbcs-httpd24-openssl-1:1.0.2n-14.jbcs.el6 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-0:1-6.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-apache-commons-daemon-jsvc-1:1.1.0-3.redhat_2.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-apr-0:1.6.3-31.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-apr-util-0:1.6.1-24.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-httpd-0:2.4.29-35.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_cluster-native-0:1.3.8-3.Final_redhat_2.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_jk-0:1.2.46-1.redhat_1.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-nghttp2-0:1.29.0-9.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-openssl-1:1.0.2n-14.jbcs.el7 *
Red Hat Enterprise Linux 7 RedHat httpd-0:2.4.6-95.el7 *
Red Hat JBoss Core Services 1 RedHat httpd *
Red Hat Software Collections for Red Hat Enterprise Linux 6 RedHat httpd24-curl-0:7.61.1-1.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 6 RedHat httpd24-httpd-0:2.4.34-7.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 6 RedHat httpd24-nghttp2-0:1.7.1-7.el6 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat httpd24-curl-0:7.61.1-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat httpd24-httpd-0:2.4.34-7.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat httpd24-nghttp2-0:1.7.1-7.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS RedHat httpd24-curl-0:7.61.1-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS RedHat httpd24-httpd-0:2.4.34-7.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS RedHat httpd24-nghttp2-0:1.7.1-7.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS RedHat httpd24-curl-0:7.61.1-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS RedHat httpd24-httpd-0:2.4.34-7.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS RedHat httpd24-nghttp2-0:1.7.1-7.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS RedHat httpd24-curl-0:7.61.1-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS RedHat httpd24-httpd-0:2.4.34-7.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS RedHat httpd24-nghttp2-0:1.7.1-7.el7 *
Apache2 Ubuntu artful *
Apache2 Ubuntu bionic *
Apache2 Ubuntu devel *
Apache2 Ubuntu trusty *
Apache2 Ubuntu upstream *
Apache2 Ubuntu xenial *

References