The Apache HTTP Server 2.4.18 up to and including 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote malicious users to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache http server 2.4.20 |
||
apache http server 2.4.18 |
||
apache http server 2.4.19 |