Description
ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.
Remediation
References
Related Vulnerabilities
WordPress Plugin Adminimize 'page' Parameter Cross-Site Scripting (1.7.21)
Chamilo Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2021-38745)
Atlassian Jira URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2018-13402)
Moodle Improper Access Control Vulnerability (CVE-2020-25629)