Vulnerability in Apache Software Foundation Http Server
CVE-2019-17567
Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same conn…
EPSS: 0.597 (99.0th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Http Server — versions 2.4.46, 2.4.43, 2.4.41
Public proof-of-concept exploits
References
- httpd.apache.org/security/vulnerabilities_24.html
- lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cb…
- [httpd-announce] 20210609 CVE-2019-17567: mod_proxy_wstunnel tunneling of non Upgraded connections (mailing-list)
- [httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json (mailing-list)
- [oss-security] 20210609 CVE-2019-17567: Apache httpd: mod_proxy_wstunnel tunneling of non Upgraded connections (mailing-list)
- GLSA-202107-38 (vendor-advisory)
- FEDORA-2021-dce7e7738e (vendor-advisory)
- FEDORA-2021-e3f6dd670d (vendor-advisory)
- www.oracle.com/security-alerts/cpuoct2021.html
- security.netapp.com/advisory/ntap-20210702-0001/
Frequently asked questions
- What is CVE-2019-17567?
- CVE-2019-17567 is a vulnerability in Apache Software Foundation Http Server. Published 2021-06-10.
- Is CVE-2019-17567 known to be exploited?
- 16 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.