Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.
References
Link | Resource |
---|---|
https://httpd.apache.org/security/vulnerabilities_24.html | Vendor Advisory |
http://www.openwall.com/lists/oss-security/2022/06/08/8 | Mailing List Third Party Advisory |
https://security.netapp.com/advisory/ntap-20220624-0005/ | Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/ | Mailing List Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/ | Mailing List Third Party Advisory |
https://security.gentoo.org/glsa/202208-20 | Third Party Advisory |
Information
Published : 2022-06-09 10:15
Updated : 2022-08-19 05:54
NVD link : CVE-2022-31813
Mitre link : CVE-2022-31813
JSON object : View
CWE
CWE-345
Insufficient Verification of Data Authenticity
Products Affected
apache
- http_server
netapp
- clustered_data_ontap
fedoraproject
- fedora