Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.
Weakness
The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Http_server | Apache | * | 2.4.54 (excluding) |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-httpd-0:2.4.51-37.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_http2-0:1.15.19-20.el8jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-httpd-0:2.4.51-37.el7jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_http2-0:1.15.19-20.el7jbcs | * |
| Red Hat Enterprise Linux 8 | RedHat | httpd:2.4-8070020220725152258.3b9f49c4 | * |
| Red Hat Enterprise Linux 9 | RedHat | httpd-0:2.4.53-7.el9 | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | httpd24-httpd-0:2.4.34-23.el7.5 | * |
| Text-Only JBCS | RedHat | * | |
| Apache2 | Ubuntu | bionic | * |
| Apache2 | Ubuntu | devel | * |
| Apache2 | Ubuntu | esm-infra-legacy/trusty | * |
| Apache2 | Ubuntu | esm-infra/bionic | * |
| Apache2 | Ubuntu | esm-infra/focal | * |
| Apache2 | Ubuntu | esm-infra/xenial | * |
| Apache2 | Ubuntu | focal | * |
| Apache2 | Ubuntu | impish | * |
| Apache2 | Ubuntu | jammy | * |
| Apache2 | Ubuntu | kinetic | * |
| Apache2 | Ubuntu | trusty/esm | * |
| Apache2 | Ubuntu | upstream | * |
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/141.html
- https://cwe.mitre.org/data/definitions/142.html
- https://cwe.mitre.org/data/definitions/73.html
- https://cwe.mitre.org/data/definitions/76.html
- https://cwe.mitre.org/data/definitions/85.html
References
- http://www.openwall.com/lists/oss-security/2022/06/08/8
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20220624-0005/
- http://www.openwall.com/lists/oss-security/2022/06/08/8
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20220624-0005/