BSA-2018-559
21641
20 September 2018
30 March 2018
Closed
Low
4.8
N/A
CVE-2018-1283
Summary
Security Advisory ID : BSA-2018-559
Component : Apache HTTPD
Revision : 2.0: Final
Apache HTTP Server (httpd) mod_session module has an improper input validation flaw in the way it handles HTTP session headers in some configurations. A remote attacker may influence their content by using a "Session" header. When mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header.
This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.
The severity is set to Moderate because "SessionEnv on" is not a default nor common configuration, it should be considered more severe when this is the case though, because of the possible remote exploitation.
Affected Products
No Brocade Fibre Channel technology products from Broadcom are currently known to be affected by this vulnerability.
Revision History
Version | Change | Date |
---|---|---|
1.0 | Initial Publication | Mar 30, 2018 |
2.0 | Updated FOS | Sept 20, 2018 |