Informazioni sul CVE-2023-25690
Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy
CWE ID: CWE-444
Base Score (CVSS): N/A
CVE: CVE-2023-25690
Descrizione: Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule “^/here/(.*)” “http://example.com:8080/elsewhere?$1”; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
Vettore di attacco
Punteggio CVSS
Il CVSS è un sistema di valutazione che misura la gravità di una vulnerabilità informatica considerando fattori come l’impatto potenziale, la probabilità di attacco e la facilità di esecuzione.
Riassunto: .
Dettaglio del Vettore
| Metrica | Valore | Significato | Descrizione |
|---|
Riferimenti esterni
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html
- https://security.gentoo.org/glsa/202309-01
- http://packetstormsecurity.com/files/176334/Apache-2.4.55-mod_proxy-HTTP-Request-Smuggling.html
Prodotti interessati
- Apache Software Foundation – Apache HTTP Server
Relazioni con altri prodotti
Produttore:Apache Software Foundation
Prodotto: Apache HTTP Server
Anno: 2023
CWE: CWE-444
CVSS: 0.0