CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
100.0%
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
Configurations are affected when mod_proxy is enabled along with some form of RewriteRule
or ProxyPassMatch in which a non-specific pattern matches
some portion of the user-supplied request-target (URL) data and is then
re-inserted into the proxied request-target using variable
substitution. For example, something like:
RewriteEngine on
RewriteRule โ^/here/(.*)โ โhttp://example.com:8080/elsewhere?$1โ; [P]
ProxyPassReverse /here/ <http://example.com:8080/>
Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
Recent assessments:
rbowes-r7 at May 24, 2023 4:09pm UTC reported:
This issue requires a fairly specific configuration to work. First, Apache has to be configured in a pretty specific way โ a RewriteRule
that passes user-controlled data into a query string. This line, from our configuration file above, is exploitable, as the $1
(user data) is after the ?
(start of the query string):
RewriteRule "^/(.*)" "http://localhost:8081/?arg=$1" [P]
Whereas even a small change will break the exploit; this does not work:
RewriteRule "^/(.*)" "http://localhost:8081/$1" [P]
Additionally, this must be a security boundary โ that is, smuggling an HTTP request must bypass some sort of access control check. We put together a Github search that tries to find software that would be exploitable if it was running on a vulnerable version of Apache, but nothing stands out as particularly interesting.
Applications and devices that come as complete images with multiple servers (such as a lot of enterprise software) would probably be better targets, but checking each one is difficult. We looked into this as an alternative way to exploit CVE-2022-1388, since the core of that vulnerability involved bypassing a reverse proxyโs security checks, but its configuration is not vulnerable to CVE-2023-25690.
The final place weโd expect to see vulnerabilities is in reverse proxies that are configured to enforce some kind of ACL check or filtering, and that also do URL rewriting. One would have to test the specific configuration and application(s) that are being proxied; thereโs no easy way to scan for this sort of issue.
While we are not aware of any specific applications that are vulnerable to this, they may turn up as people investigate this vulnerability more.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 1
packetstormsecurity.com/files/176334/Apache-2.4.55-mod_proxy-HTTP-Request-Smuggling.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25690
github.com/dhmosfunk/CVE-2023-25690-POC
httpd.apache.org/security/vulnerabilities_24.html
lists.debian.org/debian-lts-announce/2023/04/msg00028.html
security.gentoo.org/glsa/202309-01
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
100.0%