AI description
CVE-2023-25690 is a vulnerability in Apache HTTP Server versions 2.4.0 through 2.4.55. It involves a HTTP Request Smuggling attack that can occur in certain `mod_proxy` configurations. These configurations are affected when `mod_proxy` is enabled alongside some form of `RewriteRule` or `ProxyPassMatch` where a non-specific pattern matches a portion of the user-supplied request-target (URL) data, which is then re-inserted into the proxied request-target using variable substitution. This vulnerability can lead to request splitting or smuggling, potentially allowing attackers to bypass access controls on the proxy server. It can also result in unintended proxying of URLs to existing origin servers and cache poisoning. To mitigate this vulnerability, it is recommended to update to Apache version 2.4.56 or later.
- Description
- Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
- Source
- security@apache.org
- NVD status
- Modified
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@apache.org
- CWE-444
- Hype score
- Not currently trending
Some mod_proxy configurations, httpd:2.4.55, are vulnerable to CVE-2023-25690 HTTP Request Smuggling attack. ( Request splitting/smuggling ) https://t.co/zBmzfAfSyL https://t.co/YXuToMAXZX
@TeslaTheGod
18 May 2025
3163 Impressions
5 Retweets
62 Likes
37 Bookmarks
2 Replies
1 Quote
CVE-2023-25690 語法: tag.apache.version:>=2.4.0 AND tag.apache.version:<=2.4.55 搜出一堆 https://t.co/xK2lcx46BN
@annpigpigpig
7 Jan 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3C9A570C-537D-4D4C-AF79-28DFB302B221",
"versionEndIncluding": "2.4.55",
"versionStartIncluding": "2.4.0"
}
],
"operator": "OR"
}
]
}
]