Apache HTTP Server up to 1.3.20 mod_usertrack improper authentication
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
3.8 | $0-$5k | 0.00 |
A vulnerability was found in Apache HTTP Server up to 1.3.20 (Web Server). It has been classified as problematic. This affects an unknown part of the component mod_usertrack. The manipulation with an unknown input leads to a improper authentication vulnerability. CWE is classifying the issue as CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. This is going to have an impact on confidentiality. The summary by CVE is:
mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID s using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID s and bypass authentication when these session ID s are used for authentication.
The weakness was presented 12/31/2001 by David Endler as not defined posting (Bugtraq). The advisory is shared at cert.uni-stuttgart.de. This vulnerability is uniquely identified as CVE-2001-1534 since 07/14/2005. The exploitability is told to be easy. An attack has to be approached locally. No form of authentication is needed for exploitation. Neither technical details nor an exploit are publicly available.
Upgrading eliminates this vulnerability.
The vulnerability is also documented in the vulnerability database at X-Force (7494). See 17854 for similar entry.
Product
Type
Vendor
Name
Version
- 1.3.0
- 1.3.1
- 1.3.2
- 1.3.3
- 1.3.4
- 1.3.5
- 1.3.6
- 1.3.7
- 1.3.8
- 1.3.9
- 1.3.10
- 1.3.11
- 1.3.12
- 1.3.13
- 1.3.14
- 1.3.15
- 1.3.16
- 1.3.17
- 1.3.18
- 1.3.19
- 1.3.20
License
Support
- end of life (old version)
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.0VulDB Meta Temp Score: 3.8
VulDB Base Score: 4.0
VulDB Temp Score: 3.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Improper authenticationCWE: CWE-287
ATT&CK: Unknown
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Timeline
11/08/2001 🔍12/31/2001 🔍
12/31/2001 🔍
01/01/2003 🔍
01/28/2004 🔍
07/14/2005 🔍
07/11/2014 🔍
05/19/2019 🔍
Sources
Vendor: apache.orgAdvisory: cert.uni-stuttgart.de
Researcher: David Endler
Status: Not defined
CVE: CVE-2001-1534 (🔍)
X-Force: 7494
Vulnerability Center: 3624 - Apache mod_usertrack Module Generates Predictable ID Numbers, Medium
SecurityFocus: 3521 - Apache mod_usertrack Predictable ID Generation Vulnerability
See also: 🔍
Entry
Created: 07/11/2014 13:29Updated: 05/19/2019 15:28
Changes: 07/11/2014 13:29 (42), 05/19/2019 15:28 (21)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.