Описание
SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.
Users are recommended to upgrade to version 2.4.64 which fixes this issue.
A Server-side request forgery (SSRF) vulnerability exists in Apache httpd when the server has mod_proxy loaded and is configured with mod_headers to modify the Content-Type header in the HTTP request or response using a value supplied by the user. Under this configuration, this flaw allows an attacker to craft specially crafted requests to manipulate the Content-Type header and trigger outbound requests to arbitrary attacker-controlled URLs via proxy. The vulnerability stems from inadequate input validation and unsafe header manipulation, ultimately allowing an attacker to influence server-side network behavior.
Отчет
Exploitation requires a non-default and uncommon server configuration where mod_headers is configured to modify the Content-Type request or a response header with a value provided in the HTTP request. This issue is rated as a Moderate vulnerability primarily due to its reliance on a non-default and uncommon server configuration, which significantly limits its exploitability. Specifically, successful exploitation requires the Apache HTTP Server to have both mod_proxy and mod_headers enabled, and for mod_headers to be explicitly misconfigured to set or modify the Content-Type header using unvalidated user input—a rare and generally discouraged setup. Moreover, the SSRF does not result in information disclosure, privilege escalation, or code execution, but merely allows outbound connections from the server to attacker-controlled endpoints.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | httpd | Fix deferred | ||
| Red Hat Enterprise Linux 6 | httpd | Out of support scope | ||
| Red Hat Enterprise Linux 7 | httpd | Out of support scope | ||
| Red Hat Enterprise Linux 8 | httpd:2.4/httpd | Fix deferred | ||
| Red Hat Enterprise Linux 9 | httpd | Fix deferred | ||
| Red Hat JBoss Core Services | httpd | Fix deferred | ||
| Red Hat JBoss Core Services | jbcs-httpd24-httpd | Fix deferred |
Показывать по
Дополнительная информация
Статус:
5.4 Medium
CVSS3
Связанные уязвимости
SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.
SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.
SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to ...
SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.
5.4 Medium
CVSS3