CVE-2019-17567

Summary

Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache HTTP Server2.4.46affected
Apache Software FoundationApache HTTP Server2.4.43affected
Apache Software FoundationApache HTTP Server2.4.41affected
Apache Software FoundationApache HTTP Server2.4.39affected
Apache Software FoundationApache HTTP Server2.4.38affected
Apache Software FoundationApache HTTP Server2.4.37affected
Apache Software FoundationApache HTTP Server2.4.35affected
Apache Software FoundationApache HTTP Server2.4.34affected
Apache Software FoundationApache HTTP Server2.4.33affected
Apache Software FoundationApache HTTP Server2.4.29affected
Apache Software FoundationApache HTTP Server2.4.28affected
Apache Software FoundationApache HTTP Server2.4.27affected
Apache Software FoundationApache HTTP Server2.4.26affected
Apache Software FoundationApache HTTP Server2.4.25affected
Apache Software FoundationApache HTTP Server2.4.23affected
Apache Software FoundationApache HTTP Server2.4.20affected
Apache Software FoundationApache HTTP Server2.4.18affected
Apache Software FoundationApache HTTP Server2.4.17affected
Apache Software FoundationApache HTTP Server2.4.16affected
Apache Software FoundationApache HTTP Server2.4.12affected
Apache Software FoundationApache HTTP Server2.4.10affected
Apache Software FoundationApache HTTP Server2.4.9affected
Apache Software FoundationApache HTTP Server2.4.7affected
Apache Software FoundationApache HTTP Server2.4.6affected

Weaknesses

  • mod_proxy_wstunnel tunneling of non Upgraded connections

ADP Enrichment

CVE Program Container

Additional References

References