What is CVE-2019-0217?

CVE-2019-0217 is a vulnerability in Apache Http Server. Published 2019-04-08.

Is CVE-2019-0217 known to be exploited?

18 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Http Server

CVE-2019-0217

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control…

EPSS: 0.430 (97.6th percentile) — read the EPSS interpretation.

Affected products

Apache Http Server — versions 2.4.0 to 2.4.38

Public proof-of-concept exploits

References

[httpd-dev] 20190402 re: svn commit: r33393 - /release/httpd/CHANGES_2.4 (mailing-list, x_refsource_MLIST)
[oss-security] 20190401 CVE-2019-0217: mod_auth_digest access control bypass (mailing-list, x_refsource_MLIST)
107668 (vdb-entry, x_refsource_BID)
20190403 [SECURITY] [DSA 4422-1] apache2 security update (mailing-list, x_refsource_BUGTRAQ)
[debian-lts-announce] 20190403 [SECURITY] [DLA 1748-1] apache2 security update (mailing-list, x_refsource_MLIST)
USN-3937-1 (vendor-advisory, x_refsource_UBUNTU)
DSA-4422 (vendor-advisory, x_refsource_DEBIAN)
FEDORA-2019-119b14075a (vendor-advisory, x_refsource_FEDORA)
httpd.apache.org/security/vulnerabilities_24.html (x_refsource_MISC)
EDORA-2019-cf7695b470 (vendor-advisory, x_refsource_FEDORA)

Frequently asked questions

What is CVE-2019-0217?: CVE-2019-0217 is a vulnerability in Apache Http Server. Published 2019-04-08.
Is CVE-2019-0217 known to be exploited?: 18 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.