Apache HTTP Server: mod_ssl access control bypass with session resumption

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

N/A

访问控制不恰当

Apache HTTP Server 访问控制错误漏洞

Apache HTTP Server是美国阿帕奇（Apache）基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点。 Apache HTTP Server 2.4.35至2.4.63版本存在访问控制错误漏洞，该漏洞源于某些mod_ssl配置可能导致TLS 1.3会话恢复时访问控制绕过。

N/A

N/A