CVE-2018-1312

In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.

Published : 2018-03-26 15:29 Updated : 2019-07-29 19:15

6.8
CVSS Score More info
Score 6.8 / 10
6.8
Vendor Product Version URI
Apache Http Server 2.4.0 cpe:/a:apache:http_server:2.4.0
Apache Http Server 2.4.1 cpe:/a:apache:http_server:2.4.1
Apache Http Server 2.4.2 cpe:/a:apache:http_server:2.4.2
Apache Http Server 2.4.3 cpe:/a:apache:http_server:2.4.3
Apache Http Server 2.4.4 cpe:/a:apache:http_server:2.4.4
Apache Http Server 2.4.6 cpe:/a:apache:http_server:2.4.6
Apache Http Server 2.4.7 cpe:/a:apache:http_server:2.4.7
Apache Http Server 2.4.8 cpe:/a:apache:http_server:2.4.8
Apache Http Server 2.4.9 cpe:/a:apache:http_server:2.4.9
Apache Http Server 2.4.10 cpe:/a:apache:http_server:2.4.10
Apache Http Server 2.4.12 cpe:/a:apache:http_server:2.4.12
Apache Http Server 2.4.14 cpe:/a:apache:http_server:2.4.14
Apache Http Server 2.4.16 cpe:/a:apache:http_server:2.4.16
Apache Http Server 2.4.17 cpe:/a:apache:http_server:2.4.17
Apache Http Server 2.4.18 cpe:/a:apache:http_server:2.4.18
Apache Http Server 2.4.19 cpe:/a:apache:http_server:2.4.19
Apache Http Server 2.4.20 cpe:/a:apache:http_server:2.4.20
Apache Http Server 2.4.21 cpe:/a:apache:http_server:2.4.21
Apache Http Server 2.4.22 cpe:/a:apache:http_server:2.4.22
Apache Http Server 2.4.23 cpe:/a:apache:http_server:2.4.23
Apache Http Server 2.4.24 cpe:/a:apache:http_server:2.4.24
Apache Http Server 2.4.25 cpe:/a:apache:http_server:2.4.25
Apache Http Server 2.4.26 cpe:/a:apache:http_server:2.4.26
Apache Http Server 2.4.27 cpe:/a:apache:http_server:2.4.27
Apache Http Server 2.4.28 cpe:/a:apache:http_server:2.4.28
Apache Http Server 2.4.29 cpe:/a:apache:http_server:2.4.29
Debian Debian Linux 8.0 cpe:/o:debian:debian_linux:8.0
Debian Debian Linux 9.0 cpe:/o:debian:debian_linux:9.0
Canonical Ubuntu Linux 14.04 cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
Canonical Ubuntu Linux 16.04 cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Canonical Ubuntu Linux 17.10 cpe:/o:canonical:ubuntu_linux:17.10
Canonical Ubuntu Linux 18.04 cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Debian Debian Linux 7.0 cpe:/o:debian:debian_linux:7.0
Netapp Santricity Cloud Connector - cpe:/a:netapp:santricity_cloud_connector:-
Netapp Storage Automation Store - cpe:/a:netapp:storage_automation_store:-
Netapp Storagegrid - cpe:/a:netapp:storagegrid:-
Canonical Ubuntu Linux 12.04 cpe:/o:canonical:ubuntu_linux:12.04::~~esm~~~
Netapp Clustered Data Ontap - cpe:/o:netapp:clustered_data_ontap:-
Redhat Enterprise Linux 7.0 cpe:/o:redhat:enterprise_linux:7.0
Redhat Enterprise Linux 7.4 cpe:/o:redhat:enterprise_linux:7.4
Redhat Enterprise Linux 7.5 cpe:/o:redhat:enterprise_linux:7.5
Redhat Enterprise Linux 7.6 cpe:/o:redhat:enterprise_linux:7.6
Redhat Enterprise Linux 6.0 cpe:/o:redhat:enterprise_linux:6.0
Apache Http Server 2.2.0 cpe:/a:apache:http_server:2.2.0
Apache Http Server 2.2.1 cpe:/a:apache:http_server:2.2.1
Apache Http Server 2.2.2 cpe:/a:apache:http_server:2.2.2
Apache Http Server 2.2.3 cpe:/a:apache:http_server:2.2.3
Apache Http Server 2.2.4 cpe:/a:apache:http_server:2.2.4
Apache Http Server 2.2.5 cpe:/a:apache:http_server:2.2.5
Apache Http Server 2.2.6 cpe:/a:apache:http_server:2.2.6
Apache Http Server 2.2.8 cpe:/a:apache:http_server:2.2.8
Apache Http Server 2.2.9 cpe:/a:apache:http_server:2.2.9
Apache Http Server 2.2.10 cpe:/a:apache:http_server:2.2.10
Apache Http Server 2.2.11 cpe:/a:apache:http_server:2.2.11
Apache Http Server 2.2.12 cpe:/a:apache:http_server:2.2.12
Apache Http Server 2.2.13 cpe:/a:apache:http_server:2.2.13
Apache Http Server 2.2.14 cpe:/a:apache:http_server:2.2.14
Apache Http Server 2.2.15 cpe:/a:apache:http_server:2.2.15
Apache Http Server 2.2.16 cpe:/a:apache:http_server:2.2.16
Apache Http Server 2.2.17 cpe:/a:apache:http_server:2.2.17
Apache Http Server 2.2.18 cpe:/a:apache:http_server:2.2.18
Apache Http Server 2.2.19 cpe:/a:apache:http_server:2.2.19
Apache Http Server 2.2.20 cpe:/a:apache:http_server:2.2.20
Apache Http Server 2.2.21 cpe:/a:apache:http_server:2.2.21
Apache Http Server 2.2.22 cpe:/a:apache:http_server:2.2.22
Apache Http Server 2.2.23 cpe:/a:apache:http_server:2.2.23
Apache Http Server 2.2.24 cpe:/a:apache:http_server:2.2.24
Apache Http Server 2.2.25 cpe:/a:apache:http_server:2.2.25
Apache Http Server 2.2.26 cpe:/a:apache:http_server:2.2.26
Apache Http Server 2.2.27 cpe:/a:apache:http_server:2.2.27
Apache Http Server 2.2.29 cpe:/a:apache:http_server:2.2.29
Apache Http Server 2.2.31 cpe:/a:apache:http_server:2.2.31
Apache Http Server 2.2.32 cpe:/a:apache:http_server:2.2.32
Apache Http Server 2.2.33 cpe:/a:apache:http_server:2.2.33
Apache Http Server 2.2.34 cpe:/a:apache:http_server:2.2.34
  1. Debian (1) Search CVE
    1. Debian Linux (3) Search CVE
      1. 8.0
      2. 9.0
      3. 7.0
  2. Netapp (4) Search CVE
    1. Santricity Cloud Connector (1) Search CVE
      1. -
    2. Clustered Data Ontap (1) Search CVE
      1. -
    3. Storagegrid (1) Search CVE
      1. -
    4. Storage Automation Store (1) Search CVE
      1. -
  3. Canonical (1) Search CVE
    1. Ubuntu Linux (5) Search CVE
      1. 14.04
      2. 16.04
      3. 17.10
      4. 18.04
      5. 12.04
  4. Apache (1) Search CVE
    1. Http Server (58) Search CVE
      1. 2.4.0
      2. 2.4.1
      3. 2.4.2
      4. 2.4.3
      5. 2.4.4
      6. 2.4.6
      7. 2.4.7
      8. 2.4.8
      9. 2.4.9
      10. 2.4.10
      11. 2.4.12
      12. 2.4.14
      13. 2.4.16
      14. 2.4.17
      15. 2.4.18
      16. 2.4.19
      17. 2.4.20
      18. 2.4.21
      19. 2.4.22
      20. 2.4.23
      21. 2.4.24
      22. 2.4.25
      23. 2.4.26
      24. 2.4.27
      25. 2.4.28
      26. 2.4.29
      27. 2.2.0
      28. 2.2.1
      29. 2.2.2
      30. 2.2.3
      31. 2.2.4
      32. 2.2.5
      33. 2.2.6
      34. 2.2.8
      35. 2.2.9
      36. 2.2.10
      37. 2.2.11
      38. 2.2.12
      39. 2.2.13
      40. 2.2.14
      41. 2.2.15
      42. 2.2.16
      43. 2.2.17
      44. 2.2.18
      45. 2.2.19
      46. 2.2.20
      47. 2.2.21
      48. 2.2.22
      49. 2.2.23
      50. 2.2.24
      51. 2.2.25
      52. 2.2.26
      53. 2.2.27
      54. 2.2.29
      55. 2.2.31
      56. 2.2.32
      57. 2.2.33
      58. 2.2.34
  5. Redhat (1) Search CVE
    1. Enterprise Linux (5) Search CVE
      1. 7.0
      2. 7.4
      3. 7.5
      4. 7.6
      5. 6.0

CWE

ID Name Description Links
CWE-287 Improper Authentication When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. CVE

History of changes

Date Event
2019-07-29 19:15
2019-04-22 17:48
2019-04-17 14:22
2019-04-10 16:29
2019-02-19 11:29
2019-02-07 11:29
2018-11-13 11:29
2018-06-03 01:29
2018-06-01 01:29
2018-05-02 01:29
2018-04-23 14:27
2018-04-21 01:29
2018-04-05 01:29
2018-03-30 01:29
2018-03-28 01:29
2018-03-26 15:29

New CVE