Allele Security Alert
ASA-2019-00027
Identifier(s)
ASA-2019-00027, CVE-2018-17199
Title
mod_session_cookie does not respect expiry time
Vendor(s)
Apache Software Foundation
Product(s)
Apache HTTP Server (httpd)
Affected version(s)
Apache HTTP Server versions 2.4.0 to 2.4.37
Fixed version(s)
Apache HTTP Server version 2.4.38
Proof of concept
Unknown
Description
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
Technical details
Unknown
Credits
Diego Angulo (ImExHS)
Reference(s)
Apache HTTP Server 2.4 vulnerabilities
https://httpd.apache.org/security/vulnerabilities_24.html
CVE-2018-17199: mod_session_cookie does not respect expiry time
https://seclists.org/oss-sec/2019/q1/81
CVE-2018-17199
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199
CVE-2018-17199
https://nvd.nist.gov/vuln/detail/CVE-2018-17199
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 2, 2019