Main Vulnerability Database Vulnerabilities #VU53780

#VU53780 Security restrictions bypass in Apache HTTP Server - CVE-2019-17567

Published: June 3, 2021

Vulnerability identifier: #VU53780

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-17567

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache HTTP Server

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to unspecified error within the mod_proxy_wstunnel and mod_proxy_http modules. If mod_proxy_wstunnel is configured on an URL that is not necessarily Upgraded by the origin server and is tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.

Remediation

Install updates from vendor's website.

External links

https://downloads.apache.org/httpd/CHANGES_2.4.48

#VU53780 Security restrictions bypass in Apache HTTP Server - CVE-2019-17567

Description

Remediation

External links

Please verify you're human