CVE-2022-31813 HTTP Server may not send X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism.
Apache HTTP Server software versions earlier than 2.4.53 are therefore potentially vulnerable to XSS attack. To protect against this issue update on your Apache HTTP Server software version or upgrade your existing Apache HTTP Server software to 2.4.53 or later versions.
Apache HTTP Server 2.4.53 and later has improved handling of the X-Forwarded-Proto HTTP header when proxying requests. The X-Forwarded-* headers are now only forwarded if the client sent them.
Apache HTTP Server software versions 2.4.53 and later also properly sanitizes the X-Forwarded-Proto header when proxying requests.
In case the client sent the X-Forwarded-* header Apache HTTP Server software properly sanitizes it and does not forward the header to the origin server.
To protect against this issue update on your Apache HTTP Server software version or upgrade your existing Apache HTTP Server software to 2.4.53 or later versions.
Redirecting X-Forwarded-Proto header to an application other than the one it was originally forwarded from is not a proper solution.
To protect against this issue update on your Apache HTTP Server software version or upgrade your existing Apache HTTP Server software to 2Redirecting X-Forwarded-* header to an application other than the one it was originally forwarded from is not a proper solution.
Apache HTTP Server Software Versions Affected By CVE-2022 -31813
Apache HTTP Server software versions earlier than 2.4.53 are therefore potentially vulnerable to XSS attack. To protect against this issue update on your Apache HTTP Server software version or upgrade your existing Apache HTTP Server software to 2.4.53 or later versions.
Apache HTTP Server 2.4.53 and later has improved handling of the X-Forwarded-Proto HTTP header when proxying requests. The X-Forwarded-* headers are now only forwarded if the client sent them.
Apache HTTP Server software versions 2.4.53 and later also properly sanitizes the X-Forwarded-Proto header when proxying requests
In case the client sent the X-Forwarded-* header Apache HTTP Server software properly sanitizes it and does not forward the header to the origin server
Apache HTTP Server Software Versions Affected
Apache HTTP Server software versions 2.4.53 and later are not vulnerable to CVE-2022-31813.
To protect against this issue update on your Apache HTTP Server software version or upgrade your existing Apache HTTP Server software to 2.4.53 or later versions.
Apache HTTP Server 2.4.x - CVE-2022-31813
Apache HTTP Server software versions earlier than 2.4.53 are therefore potentially vulnerable to XSS attack. To protect against this issue update on your Apache HTTP Server software version or upgrade your existing Apache HTTP Server software to 2.4.53 or later versions.
Timeline
Published on: 06/09/2022 17:15:00 UTC
Last modified on: 08/19/2022 12:54:00 UTC
References
- https://httpd.apache.org/security/vulnerabilities_24.html
- http://www.openwall.com/lists/oss-security/2022/06/08/8
- https://security.netapp.com/advisory/ntap-20220624-0005/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
- https://security.gentoo.org/glsa/202208-20
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31813