In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions.
Created httpd tracking bugs for this issue:
Affects: fedora-all [bug 1695046]
Patch is at: https://svn.apache.org/viewvc?view=revision&revision=1855917
This flaw can be exploited for httpd configurations where per-location client certificates are enabled and TLS 1.3 is used.
The attacker can remotely exploit this httpd flaw (AV:N). However the server had to be configured to use per-location client certificate and the attacker needs to have access to the authenticating client certificate (AC:H). No other significant privileges are required by the attacker (PR:L). The result of the attack is bypass of the configured access control restrictions (CI:H). This however does not affect the system beyond the web server itself (S:U).
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2019:0980 https://access.redhat.com/errata/RHSA-2019:0980