CVE-2017-3167 - log back

CVE-2017-3167 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Authentication bypass
Description
+ An authentication bypass flaw has been found in Apache httpd < 2.4.26, where the use of the ap_get_basic_auth_pw() function by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request.
References
+ https://httpd.apache.org/security/vulnerabilities_24.html
+ https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch
Notes