CVE-2024-10306

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions mod proxy cluster (affected versions not specified)

Description A vulnerability was found in mod proxy cluster, where the <Directory> directive does not restrict IP/host access as Require ip IP ADDRESS would suggest, allowing anyone with access to the host to send MCMP requests that may result in adding, removing, or updating nodes for the balancing. The host should not be accessible to the public network as it does not serve general traffic.

Recommendations As a temporary workaround, consider restricting access to the <Directory> directive until the issue is resolved by replacing it with the <Location> directive. Restrict access to the host to minimize the risk of exploitation, ensuring it is not accessible to the public network.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

ALSA-2025:9434

ALSA-2025:9466

CVE-2024-10306

INFBA-2025_2973

INFSA-2025_9434

RHSA-2025:9434

RHSA-2025:9466

RHSA-2025:9997

RHSA-2025_9434

Affected Products

Almalinux

Red Hat

Rocky Linux

Mod Proxy Cluster

CVE-2024-10306

Weakness Enumeration

Related Identifiers

Affected Products

References · 18