CVE-2017-3167

Advisory lineage Upstream: 0 Downstream: 19
Modified
Published: 20 Jun 2017, 01:00
Last modified:04 Nov 2025, 16:09

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
8.72% LOW
9% probability -0.72%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

20 Jun 2017, 01:00
Published
Vulnerability first disclosed
04 Nov 2025, 16:09
Last Modified
Vulnerability information updated

Description

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

CVSS Metrics

  • v3.1CRITICALScore: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • v2.0HIGHScore: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 8.72% Percentile: 93%

Techniques & Countermeasures

  • CWE-287Improper Authentication

    When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Systems

  • apache software foundationapache http server

    2.2.0 to 2.2.32 | 2.4.0 to 2.4.25

  • UnknownHTTP Server

    ≥ 2.2.0, < 2.2.33 | ≥ 2.4.0, < 2.4.26

  • applemac_os_x

    < 10.13.1

  • debiandebian_linux

    8.0 | 9.0

  • netappclustered_data_ontap

    na

  • netapponcommand_unified_manager

    na

  • netappstoragegrid

    na

  • oraclesecure_global_desktop

    5.3

  • redhatenterprise_linux_desktop

    6.0 | 7.0

  • redhatenterprise_linux_eus

    6.7 | 7.2 | 7.3 | 7.4 | 7.5 | 7.6 | 7.7

  • redhatenterprise_linux_server

    6.0 | 7.0

  • redhatenterprise_linux_server_aus

    7.2 | 7.3 | 7.4 | 7.6 | 7.7

  • redhatenterprise_linux_server_tus

    7.2 | 7.3 | 7.4 | 7.6 | 7.7

  • redhatenterprise_linux_workstation

    6.0 | 7.0

  • redhatjboss_core_services

    1.0

References (39)