BIT-apache-2025-23048
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/apache/BIT-apache-2025-23048.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/BIT-apache-2025-23048
- Aliases
- Published
- 2025-07-16T07:56:19.860Z
- Modified
- 2025-07-17T09:06:40.486Z
- Summary
- Apache HTTP Server: mod_ssl access control bypass with session resumption
- Details
-
In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.
Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.
- Database specific
{ "severity": "Critical", "cpes": [ "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*" ] }- References
Affected packages
Bitnami / apache
Package
- Name
- apache
- Purl
- pkg:bitnami/apache
Severity
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator