Apache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3 and SSLFakeBasicAuth enabled, allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user.
Software | From | Fixed in |
---|---|---|
apache-ssl / apache-ssl | - | 1.3.28_1.52.x |