SUBJECT: CVE-2023-25690 HTTP Request Smuggling attack
TECH STACK: Apache HTTP Server versions 2.4.0 through 2.4.55
DATE(S) ISSUED: 03/07/2023
NVD Last Modified: 04/24/2023
CRITICALITY: CRITICAL
OVERVIEW:
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning.
SOLUTION:
To mitigate this vulnerability, it is recommended to update the Apache HTTP Server to at least version 2.4.56. This update addresses the issue and helps protect against potential attacks.
REFERENCES:
National Vulnerability Database (NVD):
Red Hat Security Advisory:
IBM Support:
