Home

Description

A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic.

PUBLISHED Reserved 2024-10-23 | Published 2025-04-23 | Updated 2025-11-08 | Assigner redhat




MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem types

Incorrect Authorization

Product status

Default status
unaffected

1.3.17 (semver) before 1.3.21.Final
affected

Default status
affected

0:1.3.21-1.el10 (rpm) before *
unaffected

Default status
affected

0:1.3.22-1.el10_0.2 (rpm) before *
unaffected

Default status
affected

0:1.3.22-1.el9_5.2 (rpm) before *
unaffected

Default status
affected

0:1.3.22-1.el9_6.1 (rpm) before *
unaffected

Default status
affected

0:1.3.22-1.el9_4.1 (rpm) before *
unaffected

Default status
affected

Default status
affected

Timeline

2024-10-23:Reported to Red Hat.
2025-02-28:Made public.

References

access.redhat.com/errata/RHBA-2025:2973 (RHBA-2025:2973) vendor-advisory

access.redhat.com/errata/RHBA-2025:5309 (RHBA-2025:5309) vendor-advisory

access.redhat.com/errata/RHSA-2025:9434 (RHSA-2025:9434) vendor-advisory

access.redhat.com/errata/RHSA-2025:9466 (RHSA-2025:9466) vendor-advisory

access.redhat.com/errata/RHSA-2025:9997 (RHSA-2025:9997) vendor-advisory

access.redhat.com/security/cve/CVE-2024-10306 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2321302 (RHBZ#2321302) issue-tracking

cve.org (CVE-2024-10306)

nvd.nist.gov (CVE-2024-10306)

Download JSON