mirror of
https://github.com/0xMarcio/cve.git
synced 2025-06-19 17:30:12 +00:00
1.1 KiB
1.1 KiB
CVE-2016-4979
Description
The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.
POC
Reference
- http://packetstormsecurity.com/files/137771/Apache-2.4.20-X509-Authentication-Bypass.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html