Updated: 2023-11-07 19:06:39.600093
Description:
A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | MEDIUM | 5 |
CVSS Version 3.x | HIGH | 7.5 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated |
---|---|---|---|---|---|---|---|
CentOS 6 ELS | httpd | 2.2.15 | 7.5 | HIGH | Ignored | 2022-04-19 21:49:49 | |
CentOS 8.4 ELS | httpd | 2.4.37 | 7.5 | HIGH | Released | CLSA-2022:1654106434 | 2022-06-01 14:37:18 |
CentOS 8.5 ELS | httpd | 2.4.37 | 7.5 | HIGH | Released | CLSA-2022:1654106630 | 2022-06-01 14:37:00 |
CloudLinux 6 ELS | httpd | 2.2.15 | 7.5 | HIGH | Ignored | 2022-04-19 21:49:49 | |
Oracle Linux 6 ELS | httpd | 2.2.15 | 7.5 | HIGH | Ignored | 2022-04-19 21:49:49 | |
Ubuntu 16.04 ELS | apache2 | 2.4.18 | 7.5 | HIGH | Ignored | 2022-04-19 21:49:45 | |
Ubuntu 18.04 ELS | apache2 | 2.4.29 | 7.5 | HIGH | Already Fixed | 2023-06-02 09:11:09 |
We’ve reasoned that this vulnerability is hard to use to cause significant impact on target system. Even with our fix, the system may still be vulnerable due to different intermediate web-servers (proxies) used. Given that fix is complex (and it requires significant time to adopt to our supported systems) and the rate is not that high we’ve decided to not adopt it.