In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.
Priority: MEDIUM
CVSS v3: 9.8
Component: apache
Publish Date: Mar 26, 2018
Related ID: --
CVSS v2: CRITICAL
Modified Date: Mar 29, 2018
Find out more about CVE-2018-1312 from the MITRE-CVE dictionary and NIST NVD
Login may be required to access defects or downloads.
Product Name |
Status |
Defect |
Fixed |
Downloads |
Notes
Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.