ALAS-2017-896 ---- httpd24 httpdID: oval:org.secpod.oval:def:1600776 | Date: (C)2017-09-27 (M)2024-02-19 |
Class: PATCH | Family: unix |
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user"s .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration.
Platform: |
Amazon Linux AMI |