Updated: 2023-11-07 20:22:24.206669
Description:
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | MEDIUM | 6.4 |
CVSS Version 3.x | HIGH | 8.2 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated |
---|---|---|---|---|---|---|---|
AlmaLinux 9.2 ESU | httpd | 2.4.53 | 8.2 | HIGH | Not Vulnerable | 2023-11-08 08:36:01 | |
CentOS 6 ELS | httpd | 2.2.15 | 8.2 | HIGH | Not Vulnerable | 2022-04-19 21:49:49 | |
CentOS 7 ELS | httpd | 2.4.6 | 8.2 | HIGH | Not Vulnerable | 2023-10-27 11:07:14 | |
CentOS 8.4 ELS | httpd | 2.4.37 | 8.2 | HIGH | Released | CLSA-2022:1644869841 | 2022-04-19 21:49:49 |
CentOS 8.5 ELS | httpd | 2.4.37 | 8.2 | HIGH | Released | CLSA-2022:1644869383 | 2022-04-19 21:49:49 |
CloudLinux 6 ELS | httpd | 2.2.15 | 8.2 | HIGH | Not Vulnerable | 2022-04-19 21:49:49 | |
Oracle Linux 6 ELS | httpd | 2.2.15 | 8.2 | HIGH | Not Vulnerable | 2022-04-19 21:49:49 | |
Ubuntu 16.04 ELS | apache2 | 2.4.18 | 8.2 | HIGH | Released | CLSA-2021:1640697114 | 2022-04-19 21:49:45 |
Ubuntu 18.04 ELS | apache2 | 2.4.29 | 8.2 | HIGH | Already Fixed | 2023-06-02 09:10:44 |
Vulnerable piece of code doesn’t exist in our version