Apache Releases Security Update for HTTP Server Vulnerability

This security update addresses HTTP request smuggling attack capabilities in CVE-2023-25690

Threat ID:: CC-4324
Threat Severity:: Information only
Published:: 30 May 2023 4:48 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

This security update addresses HTTP request smuggling attack capabilities in CVE-2023-25690

Affected platforms

The following platforms are known to be affected:

Versions: 2.4.55 and earlier

Apache HTTP Server

Threat details

Introduction

Apache Foundation has released a security advisory to address a vulnerability with a CVSSv3 score of 9.8. The vulnerability known as CVE-2023-25690 affects Apache HTTP Server with certain configurations and could allow a HTTP request smuggling attack. A remote, unauthenticated attacker could exploit this vulnerability to bypass access controls in the proxy server, redirect to a malicious site, or perform cache poisoning.

A proof-of-concept publicly available

A proof-of-concept for CVE-2023-25690 was released in March 2023.

Remediation advice

Affected organisations are encouraged to review Apache's Security Advisory for CVE-2023-25690 and apply any relevant updates.

Definitive source of threat updates

https://httpd.apache.org/security/vulnerabilities_24.html

CVE Vulnerabilities

Status Reserved

CVE-2023-25690

Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.

Last edited: 30 May 2023 4:52 pm