{
  "threat_severity" : "Moderate",
  "public_date" : "2025-07-14T07:19:43Z",
  "bugzilla" : {
    "description" : "httpd: mod_ssl: access control bypass by trusted clients is possible using TLS 1.3 session resumption",
    "id" : "2374576",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2374576"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-284",
  "details" : [ "In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.\nConfigurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.", "An access control bypass vulnerability was found in Apache httpd. The Apache HTTP Server with some mod_ssl configurations can bypass the access controls by trusted clients using TLS 1.3 session resumption. A client trusted to access one virtual host may be able to access another if SSLStrictSNIVHostCheck is not enabled on either host." ],
  "statement" : "Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates. For example, with a different SSLCACertificateFile/Path setting.\nThis vulnerability is rated Moderate rather than Important due to the specific and uncommon configuration prerequisites needed for exploitation. The flaw allows a trusted client—one already holding valid client certificates for one virtual host—to potentially bypass access controls and access another virtual host by leveraging TLS 1.3 session resumption, only if the SSLStrictSNIVHostCheck directive is not enabled on either host. This bypass is not a general remote access issue, nor does it allow an unauthenticated or untrusted attacker to gain access. Furthermore, affected systems are those with complex, multi-tenant SSL client auth setups, which are relatively rare.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2025-08-14T00:00:00Z",
    "advisory" : "RHSA-2025:13680",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-httpd-0:2.4.62-8.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2025-08-14T00:00:00Z",
    "advisory" : "RHSA-2025:13680",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_http2-0:2.0.29-5.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2025-08-14T00:00:00Z",
    "advisory" : "RHSA-2025:13680",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_jk-0:1.2.50-9.redhat_1.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2025-08-14T00:00:00Z",
    "advisory" : "RHSA-2025:13680",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_md-1:2.4.28-10.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2025-08-14T00:00:00Z",
    "advisory" : "RHSA-2025:13680",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_proxy_cluster-0:1.3.22-4.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2025-08-14T00:00:00Z",
    "advisory" : "RHSA-2025:13680",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_security-0:2.9.6-11.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2025-08-14T00:00:00Z",
    "advisory" : "RHSA-2025:13680",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.62-8.el7jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2025-08-14T00:00:00Z",
    "advisory" : "RHSA-2025:13680",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_http2-0:2.0.29-5.el7jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2025-08-14T00:00:00Z",
    "advisory" : "RHSA-2025:13680",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_jk-0:1.2.50-9.redhat_1.el7jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2025-08-14T00:00:00Z",
    "advisory" : "RHSA-2025:13680",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_md-1:2.4.28-10.el7jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2025-08-14T00:00:00Z",
    "advisory" : "RHSA-2025:13680",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_proxy_cluster-0:1.3.22-4.el7jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2025-08-14T00:00:00Z",
    "advisory" : "RHSA-2025:13680",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_security-0:2.9.6-11.el7jbcs"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15095",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "httpd-0:2.4.63-1.el10_0.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-09-03T00:00:00Z",
    "advisory" : "RHSA-2025:15123",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "httpd:2.4-8100020250728150834.489197e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2025-09-08T00:00:00Z",
    "advisory" : "RHSA-2025:15516",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.2",
    "package" : "httpd:2.4-8020020250827160659.4cda2c84"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-09-11T00:00:00Z",
    "advisory" : "RHSA-2025:15684",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.4",
    "package" : "httpd:2.4-8040020250827161824.522a0ee4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2025-09-11T00:00:00Z",
    "advisory" : "RHSA-2025:15684",
    "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4",
    "package" : "httpd:2.4-8040020250827161824.522a0ee4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2025-09-11T00:00:00Z",
    "advisory" : "RHSA-2025:15698",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.6",
    "package" : "httpd:2.4-8060020250827162806.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2025-09-11T00:00:00Z",
    "advisory" : "RHSA-2025:15698",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.6",
    "package" : "httpd:2.4-8060020250827162806.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-09-11T00:00:00Z",
    "advisory" : "RHSA-2025:15698",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.6",
    "package" : "httpd:2.4-8060020250827162806.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-09-10T00:00:00Z",
    "advisory" : "RHSA-2025:15619",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.8",
    "package" : "httpd:2.4-8080020250827163339.63b34585"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15023",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "httpd-0:2.4.62-4.el9_6.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-08-28T00:00:00Z",
    "advisory" : "RHSA-2025:14901",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "httpd-0:2.4.51-7.el9_0.10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-08-28T00:00:00Z",
    "advisory" : "RHSA-2025:14902",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "httpd-0:2.4.53-11.el9_2.13"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-08-28T00:00:00Z",
    "advisory" : "RHSA-2025:14903",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "httpd-0:2.4.57-11.el9_4.3"
  }, {
    "product_name" : "Red Hat JBoss Core Services 2.4.62.SP1",
    "release_date" : "2025-08-14T00:00:00Z",
    "advisory" : "RHSA-2025:13681",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-23048\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23048\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2025-23048",
  "mitigation" : {
    "value" : "No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}