Lucene search

K
cve[email protected]CVE-2011-3368
HistoryOct 05, 2011 - 10:55 p.m.

CVE-2011-3368

2011-10-0522:55:02
CWE-20
web.nvd.nist.gov
947
cve-2011-3368
apache http server
mod_proxy
rewriterule
proxypassmatch
reverse proxy
uri
security vulnerability
nvd

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

9.2

Confidence

High

EPSS

0.974

Percentile

99.9%

The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.

Affected configurations

NVD
Node
apachehttp_serverMatch1.3
OR
apachehttp_serverMatch1.3.0
OR
apachehttp_serverMatch1.3.1
OR
apachehttp_serverMatch1.3.1.1
OR
apachehttp_serverMatch1.3.2
OR
apachehttp_serverMatch1.3.3
OR
apachehttp_serverMatch1.3.4
OR
apachehttp_serverMatch1.3.5
OR
apachehttp_serverMatch1.3.6
OR
apachehttp_serverMatch1.3.7
OR
apachehttp_serverMatch1.3.8
OR
apachehttp_serverMatch1.3.9
OR
apachehttp_serverMatch1.3.10
OR
apachehttp_serverMatch1.3.11
OR
apachehttp_serverMatch1.3.12
OR
apachehttp_serverMatch1.3.13
OR
apachehttp_serverMatch1.3.14
OR
apachehttp_serverMatch1.3.15
OR
apachehttp_serverMatch1.3.16
OR
apachehttp_serverMatch1.3.17
OR
apachehttp_serverMatch1.3.18
OR
apachehttp_serverMatch1.3.19
OR
apachehttp_serverMatch1.3.20
OR
apachehttp_serverMatch1.3.22
OR
apachehttp_serverMatch1.3.23
OR
apachehttp_serverMatch1.3.24
OR
apachehttp_serverMatch1.3.25
OR
apachehttp_serverMatch1.3.26
OR
apachehttp_serverMatch1.3.27
OR
apachehttp_serverMatch1.3.28
OR
apachehttp_serverMatch1.3.29
OR
apachehttp_serverMatch1.3.30
OR
apachehttp_serverMatch1.3.31
OR
apachehttp_serverMatch1.3.32
OR
apachehttp_serverMatch1.3.33
OR
apachehttp_serverMatch1.3.34
OR
apachehttp_serverMatch1.3.35
OR
apachehttp_serverMatch1.3.36
OR
apachehttp_serverMatch1.3.37
OR
apachehttp_serverMatch1.3.38
OR
apachehttp_serverMatch1.3.39
OR
apachehttp_serverMatch1.3.41
OR
apachehttp_serverMatch1.3.42
OR
apachehttp_serverMatch1.3.65
OR
apachehttp_serverMatch1.3.68
Node
apachehttp_serverMatch2.0
OR
apachehttp_serverMatch2.0.9
OR
apachehttp_serverMatch2.0.28
OR
apachehttp_serverMatch2.0.28beta
OR
apachehttp_serverMatch2.0.32
OR
apachehttp_serverMatch2.0.32beta
OR
apachehttp_serverMatch2.0.34beta
OR
apachehttp_serverMatch2.0.35
OR
apachehttp_serverMatch2.0.36
OR
apachehttp_serverMatch2.0.37
OR
apachehttp_serverMatch2.0.38
OR
apachehttp_serverMatch2.0.39
OR
apachehttp_serverMatch2.0.40
OR
apachehttp_serverMatch2.0.41
OR
apachehttp_serverMatch2.0.42
OR
apachehttp_serverMatch2.0.43
OR
apachehttp_serverMatch2.0.44
OR
apachehttp_serverMatch2.0.45
OR
apachehttp_serverMatch2.0.46
OR
apachehttp_serverMatch2.0.47
OR
apachehttp_serverMatch2.0.48
OR
apachehttp_serverMatch2.0.49
OR
apachehttp_serverMatch2.0.50
OR
apachehttp_serverMatch2.0.51
OR
apachehttp_serverMatch2.0.52
OR
apachehttp_serverMatch2.0.53
OR
apachehttp_serverMatch2.0.54
OR
apachehttp_serverMatch2.0.55
OR
apachehttp_serverMatch2.0.56
OR
apachehttp_serverMatch2.0.57
OR
apachehttp_serverMatch2.0.58
OR
apachehttp_serverMatch2.0.59
OR
apachehttp_serverMatch2.0.60
OR
apachehttp_serverMatch2.0.61
OR
apachehttp_serverMatch2.0.63
OR
apachehttp_serverMatch2.0.64
Node
apachehttp_serverMatch2.2.0
OR
apachehttp_serverMatch2.2.1
OR
apachehttp_serverMatch2.2.2
OR
apachehttp_serverMatch2.2.3
OR
apachehttp_serverMatch2.2.4
OR
apachehttp_serverMatch2.2.6
OR
apachehttp_serverMatch2.2.8
OR
apachehttp_serverMatch2.2.9
OR
apachehttp_serverMatch2.2.10
OR
apachehttp_serverMatch2.2.11
OR
apachehttp_serverMatch2.2.12
OR
apachehttp_serverMatch2.2.13
OR
apachehttp_serverMatch2.2.14
OR
apachehttp_serverMatch2.2.15
OR
apachehttp_serverMatch2.2.16
OR
apachehttp_serverMatch2.2.18
OR
apachehttp_serverMatch2.2.19
OR
apachehttp_serverMatch2.2.20
OR
apachehttp_serverMatch2.2.21

References

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

9.2

Confidence

High

EPSS

0.974

Percentile

99.9%