Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2019-17567

Published: 10 June 2021

Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.

Notes

AuthorNote
mdeslaur
The patches required to fix this in stable releases are quite
intrusive and change behaviour. It may not make sense to
backport them to stable releases.

Priority

Medium

Cvss 3 Severity Score

5.3

Score breakdown

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
groovy Ignored
(end of life)
upstream
Released (2.4.48-1)
impish Not vulnerable
(2.4.48-3ubuntu1)
lunar Not vulnerable
(2.4.48-3ubuntu1)
bionic Deferred

focal Deferred

hirsute Ignored
(end of life)
jammy Not vulnerable
(2.4.48-3ubuntu1)
kinetic Not vulnerable
(2.4.48-3ubuntu1)
trusty Deferred

xenial Deferred

mantic Not vulnerable
(2.4.48-3ubuntu1)
Patches:
upstream: https://svn.apache.org/r1885605
upstream: https://github.com/apache/httpd/pull/156
upstream: https://github.com/apache/httpd/pull/158
upstream: https://github.com/apache/httpd/commit/f7d35dc166732bff0e55d1509202d76d53f8c270 (bp)
upstream: https://github.com/apache/httpd/commit/97597452bbdadcbe561cd14fc3ee9049e7d371dd (bp)
upstream: https://github.com/apache/httpd/commit/41cdf59f2343f11fca5152542d843c3403c233db (bp)
upstream: https://github.com/apache/httpd/commit/a834551b8393065e8124767d5d9fbafb4ec8fd96 (bp)
upstream: https://github.com/apache/httpd/commit/18c4ac516f146dbbff7c4cc6b4cb8cda2f79090a (bp)
upstream: https://github.com/apache/httpd/commit/fa22b50457c81465b5079dc44c7f1f1cb7431f5d
upstream: https://github.com/apache/httpd/commit/cb517a3b8a2fc1785c7afeff0f0dce69608833f5 (possibly)

Severity score breakdown

Parameter Value
Base score 5.3
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N