CVE-2022-31813
Summary
| CVE | CVE-2022-31813 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-06-09 17:15:00 UTC |
| Updated | 2023-11-07 03:47:00 UTC |
| Description | Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. |
Risk And Classification
Problem Types: CWE-345
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Http Server | All | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Operating System | Fedoraproject | Fedora | 36 | All | All | All |
| Application | Netapp | Clustered Data Ontap | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache HTTPD: Multiple Vulnerabilities (GLSA 202208-20) — Gentoo security | GENTOO | security.gentoo.org | |
| [SECURITY] Fedora 36 Update: httpd-2.4.54-3.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 36 Update: httpd-2.4.54-3.fc36 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project | MISC | httpd.apache.org | |
| [SECURITY] Fedora 35 Update: httpd-2.4.54-1.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| June 2022 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| oss-security - CVE-2022-31813: Apache HTTP Server: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism | MLIST | www.openwall.com | |
| [SECURITY] Fedora 35 Update: httpd-2.4.54-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue
Legacy QID Mappings
- 150539 Apache HTTP Server 2.4.53 Multiple Vulnerabilities
- 160015 Oracle Enterprise Linux Security Update for httpd (ELSA-2022-9676)
- 160016 Oracle Enterprise Linux Security Update for httpd (ELSA-2022-9675)
- 160022 Oracle Enterprise Linux Security Update for httpd (ELSA-2022-9680)
- 160040 Oracle Enterprise Linux Security Update for httpd:2.4 (ELSA-2022-9682)
- 160250 Oracle Enterprise Linux Security Update for httpd:2.4 (ELSA-2022-7647)
- 160309 Oracle Enterprise Linux Security Update for httpd (ELSA-2022-8067)
- 180835 Debian Security Update for apache2 (CVE-2022-31813)
- 198838 Ubuntu Security Notification for Apache Hypertext Transfer Protocol (HTTP) Server Vulnerabilities (USN-5487-1)
- 240698 Red Hat Update for httpd24-httpd (RHSA-2022:6753)
- 240854 Red Hat Update for httpd:2.4 (RHSA-2022:7647)
- 240885 Red Hat Update for httpd security (RHSA-2022:8067)
- 240996 Red Hat Update for JBoss Core Services (RHSA-2022:8840)
- 282882 Fedora Security Update for httpd (FEDORA-2022-e620fb15d5)
- 282903 Fedora Security Update for httpd (FEDORA-2022-b54a8dee29)
- 296082 Oracle Solaris 11.4 Support Repository Update (SRU) 48.126.1 Missing (CPUJUL2022)
- 353971 Amazon Linux Security Advisory for httpd24 : ALAS-2022-1607
- 353988 Amazon Linux Security Advisory for httpd : ALAS2-2022-1812
- 354482 Amazon Linux Security Advisory for httpd : ALAS2022-2022-202
- 354513 Amazon Linux Security Advisory for httpd : ALAS2022-2022-110
- 354577 Amazon Linux Security Advisory for httpd : ALAS2022-2022-202
- 355264 Amazon Linux Security Advisory for httpd : ALAS2023-2023-072
- 376863 IBM Hypertext Transfer Protocol (HTTP) Server Multiple Vulnerabilities (6595149)
- 377911 Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities (CPUJAN2023)
- 501353 Alpine Linux Security Update for apache2
- 503857 Alpine Linux Security Update for apache2
- 672022 EulerOS Security Update for httpd (EulerOS-SA-2022-2256)
- 672052 EulerOS Security Update for httpd (EulerOS-SA-2022-2222)
- 672060 EulerOS Security Update for httpd (EulerOS-SA-2022-2243)
- 672082 EulerOS Security Update for httpd (EulerOS-SA-2022-2320)
- 672128 EulerOS Security Update for httpd (EulerOS-SA-2022-2291)
- 690877 Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (49adfbe5-e7d1-11ec-8fbd-d4c9ef517024)
- 710595 Gentoo Linux Apache HTTPD Multiple Vulnerabilities (GLSA 202208-20)
- 730529 Apache Hypertext Transfer Protocol Server (HTTP Server) mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism Vulnerability
- 730739 IBM Aspera Faspex Multiple Security Vulnerabilities (6952319)
- 752247 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2101-1)
- 752248 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2099-1)
- 752307 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2302-1)
- 752326 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2338-1)
- 752331 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2342-1)
- 940741 AlmaLinux Security Update for httpd:2.4 (ALSA-2022:7647)
- 940823 AlmaLinux Security Update for httpd (ALSA-2022:8067)
- 960175 Rocky Linux Security Update for httpd:2.4 (RLSA-2022:7647)
- 960481 Rocky Linux Security Update for httpd (RLSA-2022:8067)