A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker.
Users are recommended to upgrade to version 2.4.67, which fixes this issue.
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Http_server | Apache | * | 2.4.67 (excluding) |
| Red Hat Enterprise Linux 10 | RedHat | httpd-0:2.4.63-13.el10_2.4 | * |
| Red Hat Hardened Images | RedHat | httpd-main-2.4.67-1.hum1 | * |
| Apache2 | Ubuntu | devel | * |
| Apache2 | Ubuntu | esm-infra/xenial | * |
| Apache2 | Ubuntu | jammy | * |
| Apache2 | Ubuntu | noble | * |
| Apache2 | Ubuntu | questing | * |
| Apache2 | Ubuntu | resolute | * |
| Apache2 | Ubuntu | upstream | * |