oss-sec mailing list archives

CVE-2019-17567: Apache httpd: mod_proxy_wstunnel tunneling of non Upgraded connections

From: Christophe JAILLET <jailletc36 () apache org>
Date: Wed, 09 Jun 2021 23:11:00 +0200


CVE-2019-17567: mod_proxy_wstunnel tunneling of non Upgraded connections

Severity: moderate

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.6 to 2.4.46

Description:
Apache HTTP Server 2.4.6 to 2.4.46
mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole 
connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP 
validation, authentication or authorization possibly configured.
    
Mitigation:
Configure mod_proxy_wstunnel on URLs that are always Upgraded by the origin server

Credit:
Reported by Mikhail Egorov (<0ang3el gmail.com>)

References:
https://httpd.apache.org/security/vulnerabilities_24.html

Current thread:

CVE-2019-17567: Apache httpd: mod_proxy_wstunnel tunneling of non Upgraded connections Christophe JAILLET (Jun 10)