CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
87.0%
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through
2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected
when mod_proxy is enabled along with some form of RewriteRule or
ProxyPassMatch in which a non-specific pattern matches some portion of the
user-supplied request-target (URL) data and is then re-inserted into the
proxied request-target using variable substitution. For example, something
like: RewriteEngine on RewriteRule β^/here/(.*)β
βhttp://example.com:8080/elsewhere?$1β; [P] ProxyPassReverse /here/
http://example.com:8080/ Request splitting/smuggling could result in bypass
of access controls in the proxy server, proxying unintended URLs to
existing origin servers, and cache poisoning. Users are recommended to
update to at least version 2.4.56 of Apache HTTP Server.
Author | Note |
---|---|
mdeslaur | fixed by r1908095 in 2.4.x |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | apache2 | <Β 2.4.29-1ubuntu4.27 | UNKNOWN |
ubuntu | 20.04 | noarch | apache2 | <Β 2.4.41-4ubuntu3.14 | UNKNOWN |
ubuntu | 22.04 | noarch | apache2 | <Β 2.4.52-1ubuntu4.4 | UNKNOWN |
ubuntu | 22.10 | noarch | apache2 | <Β 2.4.54-2ubuntu1.2 | UNKNOWN |
ubuntu | 23.04 | noarch | apache2 | <Β 2.4.55-1ubuntu2 | UNKNOWN |
ubuntu | 23.10 | noarch | apache2 | <Β 2.4.55-1ubuntu2 | UNKNOWN |
ubuntu | 24.04 | noarch | apache2 | <Β 2.4.55-1ubuntu2 | UNKNOWN |
ubuntu | 14.04 | noarch | apache2 | <Β any | UNKNOWN |
ubuntu | 16.04 | noarch | apache2 | <Β 2.4.18-2ubuntu3.17+esm10 | UNKNOWN |