Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Http_server | Apache | * | 2.4.53 (including) |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-httpd-0:2.4.51-37.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_http2-0:1.15.19-20.el8jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-httpd-0:2.4.51-37.el7jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_http2-0:1.15.19-20.el7jbcs | * |
| Red Hat Enterprise Linux 8 | RedHat | httpd:2.4-8070020220725152258.3b9f49c4 | * |
| Red Hat Enterprise Linux 9 | RedHat | httpd-0:2.4.53-7.el9 | * |
| Red Hat JBoss Core Services 1 | RedHat | httpd | * |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | httpd24-httpd-0:2.4.34-23.el7.5 | * |
| Apache2 | Ubuntu | bionic | * |
| Apache2 | Ubuntu | devel | * |
| Apache2 | Ubuntu | esm-infra/xenial | * |
| Apache2 | Ubuntu | focal | * |
| Apache2 | Ubuntu | impish | * |
| Apache2 | Ubuntu | jammy | * |
| Apache2 | Ubuntu | kinetic | * |
| Apache2 | Ubuntu | trusty/esm | * |
| Apache2 | Ubuntu | upstream | * |