Vulnerability Details : CVE-2017-12171
A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd 2.2.15-60, causing comments in the "Allow" and "Deny" configuration lines to be parsed incorrectly. A web administrator could unintentionally allow any client to access a restricted HTTP resource.
Vulnerability category: Input validationBypassGain privilege
Products affected by CVE-2017-12171
- cpe:2.3:o:redhat:enterprise_linux:6.9:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.2.15-60:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-12171
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-12171
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
Red Hat, Inc. |
CWE ids for CVE-2017-12171
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Secondary)
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: secalert@redhat.com (Primary)
References for CVE-2017-12171
-
http://www.securityfocus.com/bid/101516
Apache HTTP Server CVE-2017-12171 Security Bypass VulnerabilityBroken Link;Third Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1039633
Apache HTTPD on Red Hat Enterprise Linux Configuration Parsing Error May Let Remote Users Bypass Security Restrictions - SecurityTrackerThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2017:2972
RHSA-2017:2972 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12171
1493056 – (CVE-2017-12171) CVE-2017-12171 httpd: # character matches all IPsIssue Tracking;Vendor Advisory
Jump to