QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2018-1283

Back to search

CVE-2018-1283

Published: Mar 26, 2018

Modified: Sep 16, 2024

PUBLISHED

Description

In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.

VendorProductVersions

Apache Software Foundation

Apache HTTP Server

affected
2.4.0 to 2.4.29

References

USN-3627-1
vendor-advisory
x_refsource_UBUNTU
DSA-4164
vendor-advisory
x_refsource_DEBIAN
RHSA-2018:3558
vendor-advisory
x_refsource_REDHAT
RHSA-2019:0367
vendor-advisory
x_refsource_REDHAT
1040568
vdb-entry
x_refsource_SECTRACK
USN-3627-2
vendor-advisory
x_refsource_UBUNTU
103520
vdb-entry
x_refsource_BID
RHSA-2019:0366
vendor-advisory
x_refsource_REDHAT

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now