Vulnerability Details : CVE-2022-31813
Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.
Products affected by CVE-2022-31813
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
Threat overview for CVE-2022-31813
Top countries where our scanners detected CVE-2022-31813
Top open port discovered on systems with this issue
80
IPs affected by CVE-2022-31813 10,300,873
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2022-31813!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2022-31813
0.94%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31813
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-31813
-
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Assigned by: nvd@nist.gov (Primary)
-
The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.Assigned by: security@apache.org (Secondary)
References for CVE-2022-31813
-
https://httpd.apache.org/security/vulnerabilities_24.html
httpd 2.4 vulnerabilities - The Apache HTTP Server ProjectVendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
[SECURITY] Fedora 36 Update: httpd-2.4.54-3.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202208-20
Apache HTTPD: Multiple Vulnerabilities (GLSA 202208-20) — Gentoo securityThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2022/06/08/8
oss-security - CVE-2022-31813: Apache HTTP Server: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanismMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20220624-0005/
June 2022 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
[SECURITY] Fedora 35 Update: httpd-2.4.54-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to