CVE-2005-2700

Description

ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.

10.0
CVSS
Severity: Critical
CVSS 2.0 •
EPSS 4.90% Top 15%
Vendor Advisory debian.org Vendor Advisory marc.info Vendor Advisory redhat.com Vendor Advisory trustix.org Vendor Advisory novell.com Vendor Advisory ubuntu.com Vendor Advisory mandriva.com Vendor Advisory redhat.com Vendor Advisory opensuse.org Vendor Advisory redhat.com Vendor Advisory gentoo.org Vendor Advisory novell.com Vendor Advisory debian.org Vendor Advisory marc.info Vendor Advisory sun.com Vendor Advisory sun.com Vendor Advisory apache.org
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
http://secunia.com/advisories/16705 third party advisory not applicable
http://www.debian.org/security/2005/dsa-807 third party advisory vendor advisory
http://marc.info/?l=bugtraq&m=112870296926652&w=2 issue tracking mailing list third party advisory vendor advisory
http://www.redhat.com/support/errata/RHSA-2005-608.html third party advisory vendor advisory
http://secunia.com/advisories/16700 third party advisory not applicable
http://secunia.com/advisories/17813 third party advisory not applicable
http://secunia.com/advisories/16743 third party advisory not applicable
http://secunia.com/advisories/16753 third party advisory not applicable
http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm third party advisory
http://www.vupen.com/english/advisories/2005/2659 vdb entry permissions required
http://secunia.com/advisories/17088 third party advisory not applicable
http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html vendor advisory broken link
http://secunia.com/advisories/22523 third party advisory not applicable
http://www.novell.com/linux/security/advisories/2005_51_apache2.html vendor advisory broken link
http://secunia.com/advisories/16748 third party advisory not applicable
http://www.ubuntu.com/usn/usn-177-1 third party advisory vendor advisory
http://people.apache.org/~jorton/CAN-2005-2700.diff vendor advisory
http://secunia.com/advisories/16754 third party advisory not applicable
http://www.mandriva.com/security/advisories?name=MDKSA-2005:161 vendor advisory broken link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10416 vdb entry third party advisory signature
http://www.redhat.com/support/errata/RHSA-2005-773.html third party advisory vendor advisory
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3117 broken link
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=167195 issue tracking third party advisory
https://lists.opensuse.org/opensuse-security-announce/2006-09/msg00016.html mailing list third party advisory vendor advisory
http://www.redhat.com/support/errata/RHSA-2005-816.html third party advisory vendor advisory
http://secunia.com/advisories/16789 third party advisory not applicable
http://secunia.com/advisories/16714 third party advisory not applicable
http://secunia.com/advisories/16769 third party advisory not applicable
http://www.vupen.com/english/advisories/2006/4207 vdb entry permissions required
http://secunia.com/advisories/17288 third party advisory not applicable
http://secunia.com/advisories/16956 third party advisory not applicable
http://secunia.com/advisories/19072 third party advisory not applicable
http://secunia.com/advisories/21848 third party advisory not applicable
http://www.osvdb.org/19188 vdb entry broken link
http://www.vupen.com/english/advisories/2005/1625 vdb entry permissions required
http://secunia.com/advisories/16771 third party advisory not applicable
http://secunia.com/advisories/16746 third party advisory not applicable
http://www.gentoo.org/security/en/glsa/glsa-200509-12.xml third party advisory vendor advisory
http://www.novell.com/linux/security/advisories/2005_52_apache2.html vendor advisory broken link
http://www.debian.org/security/2005/dsa-805 third party advisory vendor advisory
http://www.securityfocus.com/bid/14721 vdb entry third party advisory
http://secunia.com/advisories/19073 third party advisory not applicable
http://marc.info/?l=apache-modssl&m=112569517603897&w=2 third party advisory mailing list
http://www.kb.cert.org/vuls/id/744929 third party advisory us government resource
http://marc.info/?l=bugtraq&m=112604765028607&w=2 issue tracking mailing list third party advisory vendor advisory
http://secunia.com/advisories/16864 third party advisory not applicable
http://secunia.com/advisories/17311 third party advisory not applicable
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102197-1 vendor advisory broken link
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1 vendor advisory broken link
http://www.vupen.com/english/advisories/2006/0789 vdb entry permissions required
https://lists.apache.org/thread.html/117bc3f09847ebf020b1bb70301ebcc105ddc446856150b63f37f8eb%40%3Cdev.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/5b1e7d66c5adf286f14f6cc0f857b6fca107444f68aed9e70eedab47%40%3Cdev.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r652fc951306cdeca5a276e2021a34878a76695a9f3cfb6490b4a6840%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/reb542d2038e9c331506e0cbff881b47e40fbe2bd93ff00979e60cdf7%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/rafd145ba6cd0a4ced113a5823cdaff45aeb36eb09855b216401c66d6%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E mailing list
https://lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3E mailing list

Frequently Asked Questions

What is the severity of CVE-2005-2700?
CVE-2005-2700 has been scored as a critical severity vulnerability.
How to fix CVE-2005-2700?
To fix CVE-2005-2700, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2005-2700 being actively exploited in the wild?
It is possible that CVE-2005-2700 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~5% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.