Description
Kayran has detected that the Version of Apache HTTP Server being used is vulnerable to the ‘mod_auth_digest access control bypass’ vulnerability.
CVE-2019-0217 is categorized as a ‘Concurrent Execution using Shared Resource with Improper Synchronization (aka “Race Condition”)’ vulnerability (CWE-362).
These vulnerabilities occur when the code requires that certain state should not be modified between two operations, but a timing window exists in which the state can be modified by an unauthorized actor or a process.
The Version of Apache HTTP Server being used has a Race Condition in ‘mod_auth_digest’ when running in a threaded server.
That could allow users with valid credentials to authenticate using different usernames.
Bypassing the configured access control restrictions is possible.
It could lead to information being disclosed, assisting attackers in performing attacks against your assets.
There’s a chance that this vulnerability will allow attackers to modify system files and information.
Also, it may lead to a decrease in performance and interruptions in the availability of resources.
Recommendation
To fix CVE-2019-0217, upgrade the version of Apache HTTP Server being used to 2.4.39.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0217
