ssl_engine_kernel.c in mod_ssl prior to 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote malicious users to bypass intended access restrictions.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache http server |
||
debian debian linux 3.1 |
||
debian debian linux 3.0 |
||
canonical ubuntu linux 4.10 |
||
canonical ubuntu linux 5.04 |