CVE-2003-0192
Description
Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache HTTP Server before 2.0.47 and certain mod_ssl versions mishandle per-directory renegotiations with SSLCipherSuite upgrades, forcing continued use of weak ciphers.
Vulnerability
A flaw exists in Apache HTTP Server 2 before 2.0.47 and in certain versions of mod_ssl for Apache 1.3. The bug involves improper handling of certain sequences of per-directory renegotiations when the SSLCipherSuite directive is used to upgrade from a weak ciphersuite to a strong one. In affected configurations, the server may incorrectly continue to use the weak ciphersuite instead of enforcing the stronger one, undermining the intended security policy [1][2].
Exploitation
An attacker must be positioned to trigger a TLS renegotiation on a per-directory basis where the configuration attempts to upgrade ciphersuites. No special authentication or write access is required; the exploitation relies on the server's incorrect handling of the renegotiation sequence. The exact steps involve causing the server to renegotiate in a context where the SSLCipherSuite transition is misapplied, leading to the retention of the weaker ciphersuite [1][2].
Impact
Successful exploitation results in the integrity and confidentiality of the HTTPS session being weaker than intended. The attacker may be able to force the server to use a weaker ciphersuite, which could be more susceptible to cryptographic attacks (e.g., eavesdropping or man-in-the-middle). The impact is a downgrade of the negotiated security level, potentially exposing sensitive data [1][2].
Mitigation
Red Hat released updated packages in RHSA-2003:243, RHSA-2003:244, and RHSA-2003:240 to address this issue. Users of Apache HTTP Server should upgrade to Apache 2.0.47 or later, and users of mod_ssl for Apache 1.3 should apply the corresponding updates. Red Hat Enterprise Linux and other affected distributions are covered by these advisories [1][2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
17cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:apache:http_server:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.0.35:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.0.37:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.0.38:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.0.39:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.0.40:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.0.41:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.0.42:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.0.43:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.0.44:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.0.45:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:2.0.46:*:*:*:*:*:*:*
- Range: <2.0.47
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
19- www.redhat.com/support/errata/RHSA-2003-240.htmlnvdPatchVendor Advisory
- ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.6/SCOSA-2004.6.txtnvd
- marc.infonvd
- www.mandriva.com/security/advisoriesnvd
- www.redhat.com/support/errata/RHSA-2003-243.htmlnvd
- www.redhat.com/support/errata/RHSA-2003-244.htmlnvd
- lists.apache.org/thread.html/54a42d4b01968df1117cea77fc53d6beb931c0e05936ad02af93e9ac%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/5df9bfb86a3b054bb985a45ff9250b0332c9ecc181eec232489e7f79%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r0276683d8e1e07153fc8642618830ac0ade85b9ae0dc7b07f63bb8fc%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r2cb985de917e7da0848c440535f65a247754db8b2154a10089e4247b%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r5001ecf3d6b2bdd0b732e527654248abb264f08390045d30709a92f6%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r7035b7c9091c4b665a3b7205364775410646f12125d48e74e395f2ce%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r8828e649175df56f1f9e3919938ac7826128525426e2748f0ab62feb%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r9e8622254184645bc963a1d47c5d47f6d5a36d6f080d8d2c43b2b142%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/raa117ef183f0da9b3f46efbeaa66f7622bd68868a450cae4fd8ed594%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/re028d61fe612b0908595d658b9b39e74bca56f2a1ed3c5f06b5ab571%40%3Ccvs.httpd.apache.org%3Envd
- lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3Envd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A169nvd
News mentions
0No linked articles in our index yet.