Apache HTTPD Request Smuggling (CVE-2023-25690)

2 views
Skip to first unread message

Fleury, Terry

unread,
Apr 10, 2023, 3:05:02 PM4/10/23
to cv-an...@trustedci.org

CI Operators:

A security vulnerability discovered in the Apache HTTPD server [1] could allow an HTTP Request Smuggling attack for certain configurations. If your Apache web server uses any of the configuration options RewriteRule/ProxyPassMatch/ProxyPassReverse with certain pattern matching, you may be affected. This issue is recorded as CVE-2023-25690 [2] and has a CVSS v3 score of 9.8.

 

Impact:

An Apache HTTPD configuration file which includes RewriteRule, ProxyPassMatch, or ProxyPassReverse statements where a non-specific pattern matches a portion of the user-supplied URL and is then re-inserted into the proxied request target could result in an HTTP request smuggling attack. This could result in bypassing access controls, proxying unintended URLs to existing origin servers, and cache poisoning. 

 

Example configuration:

 

RewriteEngine on

RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P]

ProxyPassReverse /here/ http://example.com:8080/

 

Affected Software

Apache HTTPD v2.4.x < 2.4.56

 

Recommendation:

If your Apache web server uses RewriteRule, ProxyPassMatch, or ProxyPassReverse, update to the latest version of Apache HTTPD for your operating system [3,4,5], and restart the Apache web server. There are no recommended mitigations.

 

References:

[1] https://httpd.apache.org/security/vulnerabilities_24.html

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25690 

[3] https://access.redhat.com/security/cve/CVE-2023-25690

[4] https://ubuntu.com/security/CVE-2023-25690 

[5] https://security-tracker.debian.org/tracker/CVE-2023-25690 

 

How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.

 

You are receiving this message because you are subscribed to cv-an...@trustedci.org. The archive of previous alerts is publicly accessible. If you prefer not to receive future alerts, you can unsubscribe.

 

Reply all
Reply to author
Forward
0 new messages