Description

The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.

Remediation

References

CVE-2016-4979

Related Vulnerabilities

WordPress Plugin Postmatic-Post and comment subscriptions that invite you to hit reply Cross-Site Scripting (1.4.5)

WordPress Plugin User Role by BestWebSoft Cross-Site Scripting (1.5.5)

WordPress Plugin PowerPress Podcasting by Blubrry Cross-Site Scripting (6.0)

WordPress Plugin SP Project & Document Manager Unspecified Vulnerability (2.5.7.3)

TYPO3 Permissions, Privileges, and Access Controls Vulnerability (CVE-2008-2717)

Severity

High

Classification

CVE-2016-4979 CWE-284 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities