oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2022-31813: Apache HTTP Server: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism

From: Stefan Eissing <icing () apache org>
Date: Wed, 08 Jun 2022 09:44:06 +0000
Severity: low

Description:

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side 
Connection header hop-by-hop mechanism.
This may be used to bypass IP based authentication on the origin server/application.

Credit:

The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue

References:

https://httpd.apache.org/security/vulnerabilities_24.html
Previous By Date Next
Previous By Thread Next

Current thread: