CVE-2018-1283
moderate-risk
Published 2018-03-26
In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.
Do I need to act?
~
3.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10
Medium
NETWORK
/ HIGH complexity
Affected Products (16)
References (52)
Third Party Advisory
http://www.securityfocus.com/bid/103520
Third Party Advisory
http://www.securitytracker.com/id/1040568
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3558
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0366
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0367
Vendor Advisory
https://httpd.apache.org/security/vulnerabilities_24.html
and 32 more references
42
/ 100
moderate-risk
Severity
17/34 · Moderate
Exploitability
7/34 · Low
Exposure
18/34 · Moderate