Description
A regression error in the Debian distributions of the apache-ssl package (before 1.3.9 on Debian 2.2, and before 1.3.26 on Debian 3.0), for Apache 1.3.27 and earlier, allows local users to read or modify the Apache password file via a symlink attack on temporary files when the administrator runs (1) htpasswd or (2) htdigest, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2001-0131.
Products
- Apache Software Foundation Apache HTTP Server 1.3.17
- Apache HTTP Server 1.3.17 for Windows
- Apache Software Foundation Apache HTTP Server 1.3.18
- Apache HTTP Server 1.3.18 for Windows
- Apache Software Foundation Apache HTTP Server 1.3.19
- Apache HTTP Server 1.3.19 for Windows
- Apache Software Foundation Apache HTTP Server 1.3.20
- Apache HTTP Server 1.3.20 for Windows
- Apache Software Foundation Apache HTTP Server 1.3.22
- Apache HTTP Server 1.3.22 for Windows
- Apache Software Foundation Apache HTTP Server 1.3.23
- Apache HTTP Server 1.3.23 for Windows
- Apache Software Foundation Apache HTTP Server 1.3.24
- Apache HTTP Server 1.3.24 for Windows
- Apache Software Foundation Apache HTTP Server 1.3.25
- Apache HTTP Server 1.3.25 for Windows
- Apache Software Foundation Apache HTTP Server 1.3.26
- Apache HTTP Server 1.3.26 for Win32
- Apache Software Foundation Apache HTTP Server 1.3.27
Questions to Ask Vendors
- Can you confirm whether your systems are affected by CVE-2002-1233, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2002-1233 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions
- Check out the advisory links provided below.
References