CVE-2019-17567

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.6 through 2.4.46

Description The issue is related to the handling of HTTP requests in the Apache HTTP Server. Specifically, when mod proxy wstunnel is configured on a URL that is not necessarily upgraded by the origin server, it tunnels the whole connection regardless, allowing subsequent requests on the same connection to pass through with no HTTP validation, authentication, or authorization. This could potentially allow a remote attacker to impact the integrity of data.

Recommendations For Apache HTTP Server versions 2.4.6 through 2.4.46, consider disabling the mod proxy wstunnel module until a patch is available to prevent unauthorized access. Restrict access to sensitive areas of the server to minimize the risk of exploitation. As a temporary workaround, consider implementing additional validation and authentication mechanisms for incoming requests to mitigate the risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.