Apache HTTP Server 2.4.0 - 2.4.55 HTTP Request Smuggling Vulnerability - Linux

2023-03-0800:00:00

plugins.openvas.org

apache

http server

request smuggling

vulnerability

linux

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.9%

JSON

Apache HTTP Server is prone to a HTTP request smuggling
vulnerability.

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:apache:http_server";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.104597");
  script_version("2024-02-15T05:05:40+0000");
  script_tag(name:"last_modification", value:"2024-02-15 05:05:40 +0000 (Thu, 15 Feb 2024)");
  script_tag(name:"creation_date", value:"2023-03-08 09:17:09 +0000 (Wed, 08 Mar 2023)");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-03-14 15:41:00 +0000 (Tue, 14 Mar 2023)");

  script_cve_id("CVE-2023-25690");

  script_tag(name:"qod_type", value:"remote_banner_unreliable");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("Apache HTTP Server 2.4.0 - 2.4.55 HTTP Request Smuggling Vulnerability - Linux");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("Web Servers");
  script_dependencies("gb_apache_http_server_consolidation.nasl", "os_detection.nasl");
  script_mandatory_keys("apache/http_server/detected", "Host/runs_unixoide");

  script_tag(name:"summary", value:"Apache HTTP Server is prone to a HTTP request smuggling
  vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"Some mod_proxy configurations allow a HTTP Request Smuggling
  attack.

  Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or
  ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied
  request-target (URL) data and is then re-inserted into the proxied request-target using variable
  substitution.");

  script_tag(name:"impact", value:"Request splitting/smuggling could result in bypass of access
  controls in the proxy server, proxying unintended URLs to existing origin servers, and cache
  poisoning.");

  script_tag(name:"affected", value:"Apache HTTP Server versions 2.4.0 through 2.4.55.");

  script_tag(name:"solution", value:"Update to version 2.4.56 or later.");

  script_xref(name:"URL", value:"https://httpd.apache.org/security/vulnerabilities_24.html#2.4.56");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if (isnull(port = get_app_port(cpe: CPE)))
  exit(0);

if (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE,
                                          version_regex: "^[0-9]+\.[0-9]+\.[0-9]+"))
  exit(0);

version = infos["version"];
location = infos["location"];

if (version_in_range_exclusive(version: version, test_version_lo: "2.4.0", test_version_up: "2.4.56")) {
  report = report_fixed_ver(installed_version: version, fixed_version: "2.4.56", install_path: location);
  security_message(port: port, data: report);
  exit(0);
}

exit(99);