CVE-2023-25690: Apache HTTP Server: HTTP request splitting with mod_rewrite and mod_proxy
First published: Tue Mar 07 2023(Updated: )
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24-httpd | <0:2.4.51-39.el8 | 0:2.4.51-39.el8 |
| redhat/jbcs-httpd24-httpd | <0:2.4.51-39.el7 | 0:2.4.51-39.el7 |
| redhat/httpd | <0:2.4.6-98.el7_9.7 | 0:2.4.6-98.el7_9.7 |
| redhat/httpd | <0:2.4.53-7.el9_1.5 | 0:2.4.53-7.el9_1.5 |
| redhat/httpd | <0:2.4.51-7.el9_0.4 | 0:2.4.51-7.el9_0.4 |
| redhat/httpd24-httpd | <0:2.4.34-23.el7.6 | 0:2.4.34-23.el7.6 |
| >=2.4.0<=2.4.55 | ||
| Apache HTTP server | >=2.4.0<=2.4.55 | |
| redhat/httpd | <2.4.56 | 2.4.56 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html
- https://security.gentoo.org/glsa/202309-01
- http://packetstormsecurity.com/files/176334/Apache-2.4.55-mod_proxy-HTTP-Request-Smuggling.html
- https://www.openwall.com/lists/oss-security/2023/03/07/1
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2176718
- https://access.redhat.com/errata/RHSA-2023:1547
- https://access.redhat.com/errata/RHSA-2023:1593
- https://access.redhat.com/errata/RHSA-2023:1596
- https://access.redhat.com/errata/RHSA-2023:1597
- https://access.redhat.com/errata/RHSA-2023:1670
- https://access.redhat.com/errata/RHSA-2023:1672
- https://access.redhat.com/errata/RHSA-2023:1673
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2177742
- https://access.redhat.com/security/cve/CVE-2023-25690
- https://github.com/apache/httpd/commit/8789f6bb926fa4c33b4231a8444340515c82bdff
- https://github.com/apache/httpd/commit/8b93a6512f14f5f68887ddfe677e91233ed79fb0
- https://svn.apache.org/viewvc?view=revision&revision=1908098
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2176209#c19
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2176209#c16
- https://access.redhat.com/errata/RHSA-2023:1916
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2190143
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2189179
- https://access.redhat.com/errata/RHSA-2023:3292
- https://access.redhat.com/errata/RHSA-2023:3355
- https://access.redhat.com/errata/RHSA-2023:3354
- https://access.redhat.com/security/cve/cve-2023-25690
- https://bugzilla.redhat.com/show_bug.cgi?id=2176209
- https://www.cve.org/CVERecord?id=CVE-2023-25690 https://nvd.nist.gov/vuln/detail/CVE-2023-25690 https://httpd.apache.org/security/vulnerabilities_24.html
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2023-25690?
CVE-2023-25690 is a vulnerability found in httpd, specifically in mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55.
How severe is CVE-2023-25690?
CVE-2023-25690 has a severity rating of critical (9 out of 10).
Which software versions are affected by CVE-2023-25690?
CVE-2023-25690 affects Apache HTTP Server versions 2.4.0 through 2.4.55, jbcs-httpd24-httpd versions 2.4.51-39.el8 and 2.4.51-39.el7, httpd version 2.4.6-98.el7_9.7, and httpd versions 2.4.53-7.el9_1.5 and 2.4.51-7.el9_0.4.
How can I fix CVE-2023-25690?
To fix CVE-2023-25690, it is recommended to update to the latest patched versions of the affected software mentioned in the advisory.
Where can I find more information about CVE-2023-25690?
More information about CVE-2023-25690 can be found on the official CVE website, NIST NVD, Apache HTTP Server security vulnerabilities page, and the Red Hat Bugzilla and Errata pages.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/author
- agent/softwarecombine
- agent/references
- agent/severity
- agent/title
- agent/weakness
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-25690
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/apache
- canonical/apache http server
- version/apache http server/2.4.0
- version/apache http server/2.4.55