CVE-2022-31813 HTTP Server may not send X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism.

CVE-2022-31813 HTTP Server may not send X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism.

Apache HTTP Server software versions earlier than 2.4.53 are therefore potentially vulnerable to XSS attack. To protect against this issue update on your Apache HTTP Server software version or upgrade your existing Apache HTTP Server software to 2.4.53 or later versions.

Apache HTTP Server 2.4.53 and later has improved handling of the X-Forwarded-Proto HTTP header when proxying requests. The X-Forwarded-* headers are now only forwarded if the client sent them.

Apache HTTP Server software versions 2.4.53 and later also properly sanitizes the X-Forwarded-Proto header when proxying requests.
In case the client sent the X-Forwarded-* header Apache HTTP Server software properly sanitizes it and does not forward the header to the origin server.

To protect against this issue update on your Apache HTTP Server software version or upgrade your existing Apache HTTP Server software to 2.4.53 or later versions.
Redirecting X-Forwarded-Proto header to an application other than the one it was originally forwarded from is not a proper solution.
To protect against this issue update on your Apache HTTP Server software version or upgrade your existing Apache HTTP Server software to 2Redirecting X-Forwarded-* header to an application other than the one it was originally forwarded from is not a proper solution.

Apache HTTP Server Software Versions Affected By CVE-2022 -31813

Apache HTTP Server software versions earlier than 2.4.53 are therefore potentially vulnerable to XSS attack. To protect against this issue update on your Apache HTTP Server software version or upgrade your existing Apache HTTP Server software to 2.4.53 or later versions.

Apache HTTP Server 2.4.53 and later has improved handling of the X-Forwarded-Proto HTTP header when proxying requests. The X-Forwarded-* headers are now only forwarded if the client sent them.
Apache HTTP Server software versions 2.4.53 and later also properly sanitizes the X-Forwarded-Proto header when proxying requests
In case the client sent the X-Forwarded-* header Apache HTTP Server software properly sanitizes it and does not forward the header to the origin server

Apache HTTP Server Software Versions Affected

Apache HTTP Server software versions 2.4.53 and later are not vulnerable to CVE-2022-31813.
To protect against this issue update on your Apache HTTP Server software version or upgrade your existing Apache HTTP Server software to 2.4.53 or later versions.

Apache HTTP Server 2.4.x - CVE-2022-31813

Apache HTTP Server software versions earlier than 2.4.53 are therefore potentially vulnerable to XSS attack. To protect against this issue update on your Apache HTTP Server software version or upgrade your existing Apache HTTP Server software to 2.4.53 or later versions.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe