Apache HTTPD HTTP/2: remote user can bypass client certificate authentication

Posted on Posted in Apache

Decription: A vulnerability was reported in Apache HTTPD. A remote user can bypass client certificate authentication.

The web server's experimental module for HTTP/2 (mod_http2) does not properly validate an X.509 client. A remote user can bypass client certificate authentication to access web resources on the target system.

Affected versions: Apache v.2.4.18 through 2.4.20 using the mod_http2 module and with the h2 and h2c protocols activated in the configuration are affected.

Recommended action: Apply the vendor has issued a fix (2.4.23).

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *