CVE-2025-23048 Information

Description

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63 an access control bypass by trusted clients is possible using TLS 1.3 session resumption.

Configurations are affected when mod_ssl is configured for multiple virtual hosts with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case a client trusted to access one virtual host may be able to access another virtual host if SSLStrictSNIVHostCheck is not enabled in either virtual host.

Reference

https://httpd.apache.org/security/vulnerabilities_24.html

Related CNNVD

CNNVD-202507-1508 (Published: 2025-07-10)