{"api_version":"1","generated_at":"2026-04-23T00:39:33+00:00","cve":"CVE-2019-17567","urls":{"html":"https://cve.report/CVE-2019-17567","api":"https://cve.report/api/cve/CVE-2019-17567.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-17567","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-17567"},"summary":{"title":"CVE-2019-17567","description":"Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2021-06-10 07:15:00","updated_at":"2023-11-07 03:06:00"},"problem_types":["CWE-444"],"metrics":[],"references":[{"url":"https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd@%3Cdev.httpd.apache.org%3E","name":"[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://httpd.apache.org/security/vulnerabilities_24.html","name":"N/A","refsource":"CONFIRM","tags":[],"title":"Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E","name":"N/A","refsource":"CONFIRM","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/","name":"FEDORA-2021-e3f6dd670d","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: httpd-2.4.49-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/","name":"FEDORA-2021-dce7e7738e","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: httpd-2.4.49-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r90f693a5c9fb75550ef1412436d5e682a5f845beb427fa6f23419a3c%40%3Cannounce.httpd.apache.org%3E","name":"[httpd-announce] 20210609 CVE-2019-17567: mod_proxy_wstunnel tunneling of non Upgraded connections","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2021/06/10/2","name":"[oss-security] 20210609 CVE-2019-17567: Apache httpd: mod_proxy_wstunnel tunneling of non Upgraded connections","refsource":"MLIST","tags":[],"title":"oss-security - CVE-2019-17567: Apache httpd: mod_proxy_wstunnel tunneling of non Upgraded connections","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20210702-0001/","name":"https://security.netapp.com/advisory/ntap-20210702-0001/","refsource":"CONFIRM","tags":[],"title":"June 2021 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpuoct2021.html","name":"https://www.oracle.com/security-alerts/cpuoct2021.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - October 2021","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202107-38","name":"GLSA-202107-38","refsource":"GENTOO","tags":[],"title":"Apache: Multiple vulnerabilities (GLSA 202107-38) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/r90f693a5c9fb75550ef1412436d5e682a5f845beb427fa6f23419a3c@%3Cannounce.httpd.apache.org%3E","name":"[httpd-announce] 20210609 CVE-2019-17567: mod_proxy_wstunnel tunneling of non Upgraded connections","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E","name":"[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json","refsource":"","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/","name":"FEDORA-2021-e3f6dd670d","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: httpd-2.4.49-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/","name":"FEDORA-2021-dce7e7738e","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: httpd-2.4.49-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"503"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-17567","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-17567","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Reported by Mikhail Egorov (<0ang3el gmail.com>)","lang":""}],"nvd_cpes":[{"cve_year":"2019","cve_id":"17567","vulnerable":"1","versionEndIncluding":"2.4.46","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"http_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"17567","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"17567","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"17567","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"enterprise_manager_ops_center","cpe6":"12.4.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"17567","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"instantis_enterprisetrack","cpe6":"17.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"17567","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"instantis_enterprisetrack","cpe6":"17.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"17567","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"instantis_enterprisetrack","cpe6":"17.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"17567","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"zfs_storage_appliance_kit","cpe6":"8.8","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-17567","qid":"239865","title":"Red Hat Update for red hat jboss core services apache Hypertext Transfer Protocol (HTTP) server 2.4.37 sp10 (RHSA-2021:4614)"},{"cve":"CVE-2019-17567","qid":"281910","title":"Fedora Security Update for Hypertext Transfer Protocol Daemon (HTTPd) (FEDORA-2021-dce7e7738e)"},{"cve":"CVE-2019-17567","qid":"352395","title":"Amazon Linux Security Advisory for httpd: ALAS2-2021-1659"},{"cve":"CVE-2019-17567","qid":"352462","title":"Amazon Linux Security Advisory for httpd: ALAS2-2021-1674"},{"cve":"CVE-2019-17567","qid":"352477","title":"Amazon Linux Security Advisory for httpd24: ALAS-2021-1514"},{"cve":"CVE-2019-17567","qid":"690107","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (cce76eca-ca16-11eb-9b84-d4c9ef517024)"},{"cve":"CVE-2019-17567","qid":"710030","title":"Gentoo Linux Apache Multiple vulnerabilities (GLSA 202107-38)"},{"cve":"CVE-2019-17567","qid":"730109","title":"Apache HTTP Server Multiple Vulnerabilities"},{"cve":"CVE-2019-17567","qid":"900137","title":"CBL-Mariner Linux Security Update for httpd 2.4.46"},{"cve":"CVE-2019-17567","qid":"901662","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (6473-1)"},{"cve":"CVE-2019-17567","qid":"903538","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (4349)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2019-17567","STATE":"PUBLIC","TITLE":"mod_proxy_wstunnel tunneling of non Upgraded connections"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache HTTP Server","version":{"version_data":[{"version_affected":"=","version_name":"2.4","version_value":"2.4.46"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.43"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.41"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.39"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.38"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.37"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.35"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.34"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.33"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.29"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.28"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.27"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.26"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.25"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.23"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.20"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.18"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.17"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.16"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.12"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.10"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.9"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.7"},{"version_affected":"=","version_name":"2.4","version_value":"2.4.6"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"credit":[{"lang":"eng","value":"Reported by Mikhail Egorov (<0ang3el gmail.com>)"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":[{"other":"moderate"}],"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"mod_proxy_wstunnel tunneling of non Upgraded connections"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"http://httpd.apache.org/security/vulnerabilities_24.html","name":"http://httpd.apache.org/security/vulnerabilities_24.html"},{"refsource":"MISC","url":"https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E","name":"https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E"},{"refsource":"MLIST","name":"[httpd-announce] 20210609 CVE-2019-17567: mod_proxy_wstunnel tunneling of non Upgraded connections","url":"https://lists.apache.org/thread.html/r90f693a5c9fb75550ef1412436d5e682a5f845beb427fa6f23419a3c@%3Cannounce.httpd.apache.org%3E"},{"refsource":"MLIST","name":"[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json","url":"https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd@%3Cdev.httpd.apache.org%3E"},{"refsource":"MLIST","name":"[oss-security] 20210609 CVE-2019-17567: Apache httpd: mod_proxy_wstunnel tunneling of non Upgraded connections","url":"http://www.openwall.com/lists/oss-security/2021/06/10/2"},{"refsource":"GENTOO","name":"GLSA-202107-38","url":"https://security.gentoo.org/glsa/202107-38"},{"refsource":"FEDORA","name":"FEDORA-2021-dce7e7738e","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"},{"refsource":"FEDORA","name":"FEDORA-2021-e3f6dd670d","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"},{"url":"https://www.oracle.com/security-alerts/cpuoct2021.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20210702-0001/","url":"https://security.netapp.com/advisory/ntap-20210702-0001/"}]},"source":{"discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-06-10 07:15:00","lastModifiedDate":"2023-11-07 03:06:00","problem_types":["CWE-444"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*","versionStartIncluding":"2.4.6","versionEndIncluding":"2.4.46","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"17567","Ordinal":"157393","Title":"CVE-2019-17567","CVE":"CVE-2019-17567","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"17567","Ordinal":"1","NoteData":"Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"17567","Ordinal":"2","NoteData":"2021-06-10","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"17567","Ordinal":"3","NoteData":"2021-10-20","Type":"Other","Title":"Modified"}]}}}