CVE-2017-3167

Source
Severity Medium
Remote Yes
Type Authentication bypass
Description
An authentication bypass flaw has been found in Apache httpd < 2.4.26, where the use of the ap_get_basic_auth_pw() function by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request.
Group Package Affected Fixed Severity Status Ticket
AVG-316 apache 2.4.25-3 2.4.26-1 High Fixed
Date Advisory Group Package Severity Description
28 Jun 2017 ASA-201706-34 AVG-316 apache High multiple issues
References
https://httpd.apache.org/security/vulnerabilities_24.html
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch