cpe:/a:apache:http_server:2.4.0 cpe:/a:apache:http_server:2.4.1 cpe:/a:apache:http_server:2.4.2 cpe:/a:apache:http_server:2.4.3 cpe:/a:apache:http_server:2.4.4 cpe:/a:apache:http_server:2.4.6 cpe:/a:apache:http_server:2.4.7 cpe:/a:apache:http_server:2.4.8 cpe:/a:apache:http_server:2.4.9 cpe:/a:apache:http_server:2.4.10 cpe:/a:apache:http_server:2.4.12 cpe:/a:apache:http_server:2.4.14 cpe:/a:apache:http_server:2.4.16 cpe:/a:apache:http_server:2.4.17 cpe:/a:apache:http_server:2.4.18 cpe:/a:apache:http_server:2.4.19 cpe:/a:apache:http_server:2.4.20 cpe:/a:apache:http_server:2.4.21 cpe:/a:apache:http_server:2.4.22 cpe:/a:apache:http_server:2.4.23 cpe:/a:apache:http_server:2.4.24 cpe:/a:apache:http_server:2.4.25 cpe:/a:apache:http_server:2.4.26 cpe:/a:apache:http_server:2.4.27 cpe:/a:apache:http_server:2.4.28 cpe:/a:apache:http_server:2.4.29 cpe:/a:netapp:santricity_cloud_connector:- cpe:/a:netapp:storage_automation_store:- cpe:/a:netapp:storagegrid:- cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~ cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~ cpe:/o:canonical:ubuntu_linux:17.10 cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~ cpe:/o:debian:debian_linux:8.0 cpe:/o:debian:debian_linux:9.0 cpe:/o:netapp:clustered_data_ontap:- cpe:/o:redhat:enterprise_linux:6.0 cpe:/o:redhat:enterprise_linux:7.0 cpe:/o:redhat:enterprise_linux:7.4 cpe:/o:redhat:enterprise_linux:7.5 cpe:/o:redhat:enterprise_linux:7.6 CVE-2018-1283 2018-03-26T11:29:00.367-04:00 2019-08-15T05:15:32.110-04:00 3.5 NETWORK MEDIUM SINGLE_INSTANCE NONE PARTIAL NONE http://nvd.nist.gov BID 103520 SECTRACK 1040568 DEBIAN DSA-4164 REDHAT RHSA-2018:3558 REDHAT RHSA-2019:0366 REDHAT RHSA-2019:0367 UBUNTU USN-3627-1 UBUNTU USN-3627-2 MLIST [httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html MLIST [oss-security] 20180323 CVE-2018-1283: Tampering of mod_session data for CGI applications CONFIRM https://httpd.apache.org/security/vulnerabilities_24.html CONFIRM https://security.netapp.com/advisory/ntap-20180601-0004/ CONFIRM https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.