mod_nss 1.0.8 and earlier, when NSSVerifyClient is set to none for the server/vhost context, does not enforce the NSSVerifyClient setting in the directory context, which allows remote attackers to bypass intended access restrictions.
Exploitability
AV:NAC:HAu:NImpact
C:PI:PA:N4/AV:N/AC:H/Au:N/C:P/I:P/A:N