IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020.
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Http_server | Apache | 2.4.1 (including) | 2.4.23 (including) |
| Apache2 | Ubuntu | esm-infra-legacy/trusty | * |
| Apache2 | Ubuntu | precise/esm | * |
| Apache2 | Ubuntu | trusty | * |
| Apache2 | Ubuntu | trusty/esm | * |
| Apache2 | Ubuntu | upstream | * |
| Apache2 | Ubuntu | xenial | * |
| Red Hat Enterprise Linux 7 | RedHat | httpd-0:2.4.6-40.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | RedHat | httpd24-httpd-0:2.4.25-9.el6 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | RedHat | httpd24-httpd-0:2.4.25-9.el6 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | httpd24-httpd-0:2.4.25-9.el7 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS | RedHat | httpd24-httpd-0:2.4.25-9.el7 | * |