In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html cve-icon cve-icon
http://www.apache.org/dist/httpd/CHANGES_2.4 cve-icon
http://www.openwall.com/lists/oss-security/2019/04/02/5 cve-icon cve-icon
http://www.securityfocus.com/bid/107668 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2343 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3436 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3932 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3933 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3935 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:4126 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=1695020 cve-icon cve-icon
https://httpd.apache.org/security/vulnerabilities_24.html cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/e0b8f6e858b1c8ec2ce8e291a2c543d438915037c7af661ab6d33808%40%3Cdev.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2019/04/msg00008.html cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ALIR5S3O7NRHEGFMIDMUSYQIZOE4TJJN/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZRMTEIGZKYFNGIDOTXN3GNEJTLVCYU7/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT/ cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2019-0217 cve-icon
https://seclists.org/bugtraq/2019/Apr/5 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20190423-0001/ cve-icon cve-icon
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us cve-icon cve-icon
https://usn.ubuntu.com/3937-1/ cve-icon cve-icon
https://usn.ubuntu.com/3937-2/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2019-0217 cve-icon
https://www.debian.org/security/2019/dsa-4422 cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuapr2020.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html cve-icon cve-icon
History

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.35854}

epss

{'score': 0.34777}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-08-04T17:44:15.383Z

Reserved: 2018-11-14T00:00:00

Link: CVE-2019-0217

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-04-08T21:29:00.843

Modified: 2024-11-21T04:16:30.643

Link: CVE-2019-0217

cve-icon Redhat

Severity : Moderate

Publid Date: 2019-04-01T00:00:00Z

Links: CVE-2019-0217 - Bugzilla

cve-icon OpenCVE Enrichment

No data.