CVE-2019-17567 — MEDIUM (5.3)

Q: How severe is CVE-2019-17567?

CVE-2019-17567 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-17567?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Fedoraproject Fedora, Oracle Enterprise Manager Ops Center, Oracle Instantis Enterprisetrack, Oracle Zfs Storage Appliance Kit.

Vulnerability Description

Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Http Server	>= 2.4.6, <= 2.4.46
Fedoraproject	Fedora	34
Oracle	Enterprise Manager Ops Center	12.4.0.0
Oracle	Instantis Enterprisetrack	17.1
Oracle	Zfs Storage Appliance Kit	8.8

Related Weaknesses (CWE)

CWE-444

References

http://httpd.apache.org/security/vulnerabilities_24.htmlRelease NotesVendor Advisory
http://www.openwall.com/lists/oss-security/2021/06/10/2Mailing ListMitigationThird Party Advisory
https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111b
https://lists.apache.org/thread.html/r90f693a5c9fb75550ef1412436d5e682a5f845beb4
https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62Mailing ListVendor Advisory
https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202107-38Third Party Advisory
https://security.netapp.com/advisory/ntap-20210702-0001/Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
http://httpd.apache.org/security/vulnerabilities_24.htmlRelease NotesVendor Advisory
http://www.openwall.com/lists/oss-security/2021/06/10/2Mailing ListMitigationThird Party Advisory
https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111b
https://lists.apache.org/thread.html/r90f693a5c9fb75550ef1412436d5e682a5f845beb4

FAQ

What is CVE-2019-17567?

CVE-2019-17567 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing f...

How severe is CVE-2019-17567?

CVE-2019-17567 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-17567?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Fedoraproject Fedora, Oracle Enterprise Manager Ops Center, Oracle Instantis Enterprisetrack, Oracle Zfs Storage Appliance Kit.