oss-sec mailing list archives
CVE-2022-31813: Apache HTTP Server: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism
From: Stefan Eissing <icing () apache org>
Date: Wed, 08 Jun 2022 09:44:06 +0000
Severity: low Description: Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Credit: The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue References: https://httpd.apache.org/security/vulnerabilities_24.html
Current thread:
- CVE-2022-31813: Apache HTTP Server: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism Stefan Eissing (Jun 08)