Severity: moderate
Affected versions: - Apache HTTP Server 2.4.35 through 2.4.63 Description: In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host. Credit: Sven Hebrok, Felix Cramer, Tim Storm, Maximilian Radoy, and Juraj Somorovsky at Paderborn University (finder) References: https://httpd.apache.org/security/vulnerabilities_24.html https://httpd.apache.org/ https://www.cve.org/CVERecord?id=CVE-2025-23048 Timeline: 2024-11-25: reported 2025-07-07: 2.4.x revision 1927043 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
