Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (CWE-444)
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.
Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. This vulnerability has a CVSS v3.1 base score of 9.8 (Critical), with High impacts on Confidentiality, Integrity, and Availability. The attack vector is Network-based, requires Low attack complexity, No privileges, and No user interaction.
Multiple proof-of-concept exploits are available on github.com, github.com, github.com. There is no evidence of proof of exploitation at the moment.
A patch is available. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
Update Apache HTTP Server to version 2.4.56 or later. If immediate updating is not possible, review and modify any configurations using mod_proxy with RewriteRule or ProxyPassMatch that match user-supplied URL data and reinsert it into proxied requests. Consider implementing additional access controls and monitoring for suspicious proxy server activities.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Feedly found the first article mentioning CVE-2023-25690. See article
EPSS Score was set to: 4.4% (Percentile: 91.4%)
Detection for the vulnerability has been added to Qualys (503859)
Detection for the vulnerability has been added to Nessus (187757)
The vulnerability CVE-2023-25690 is critical with a CVSS v3 base score of 9.8. It allows remote attackers to execute arbitrary code and gain full control over the affected system. There are no known proof-of-concept exploits, but it is recommended to apply patches or mitigations to prevent exploitation. The impact may extend to third-party vendors or technologies that rely on the affected system. See article
Detection for the vulnerability has been added to Qualys (380719)
Attacks in the wild have been reported by inthewild.io. See article