Full Disclosure

CVE-2016-4979: HTTPD webserver – X509 Client certificate based authentication can be bypassed when HTTP/2 is used [vs]

Posted by Dirk-Willem van Gulik on Jul 06

Security Advisory – Apache Software Foundation
Apache HTTPD WebServer / httpd.apache.org

X509 Client certificate based authentication can
be bypassed when HTTP/2 is used

CVE-2016-4979 / CVSS 7.5

The Apache HTTPD web server (from 2.4.18-2.4.20) did not validate a X509
client certificate correctly when experimental module for the HTTP/2
protocol is used to access a resource….