Уязвимость CVE-2019-17567: Информация

Описание

Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.

Важность: MEDIUM (5,3) Вектор: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17567
Опубликовано: 10 июня 2021 г.
Изменено: 10 июня 2024 г.
Идентификатор типа ошибки: CWE-444

Исправленные пакеты

Имя пакета
Ветка
Исправлено в версии
Версия в репозитории
Errata ID
№ Задания
Состояние
apache2sisyphus2.4.47-alt12.4.59-alt1ALT-PU-2021-1838-1271621Исправлено
apache2p102.4.47-alt12.4.59-alt1ALT-PU-2021-1838-1271621Исправлено
apache2p92.4.48-alt32.4.58-alt1ALT-PU-2021-2035-1272181Исправлено
apache2c10f12.4.47-alt12.4.59-alt1ALT-PU-2021-1838-1271621Исправлено
apache2c9f22.4.48-alt3.12.4.59-alt1ALT-PU-2021-2339-1276671Исправлено
apache2p112.4.47-alt12.4.59-alt1ALT-PU-2021-1838-1271621Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка
Ресурс
N/A
  • Release Notes
  • Vendor Advisory
N/A
  • Mailing List
  • Vendor Advisory
[oss-security] 20210609 CVE-2019-17567: Apache httpd: mod_proxy_wstunnel tunneling of non Upgraded connections
  • Mailing List
  • Mitigation
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20210702-0001/
  • Third Party Advisory
GLSA-202107-38
  • Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
  • Third Party Advisory
[httpd-announce] 20210609 CVE-2019-17567: mod_proxy_wstunnel tunneling of non Upgraded connections
    [httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json
      FEDORA-2021-dce7e7738e
        FEDORA-2021-e3f6dd670d
          [debian-lts-announce] 20240525 [SECURITY] [DLA 3818-1] apache2 security update

              1. Конфигурация 1

                cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
                Start including
                2.4.6
                End including
                2.4.46

                Конфигурация 2

                cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
                cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

                Конфигурация 3

                cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
                cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
                cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
                cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
                cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
            VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
            Версия: v24.5.3
            Наверх