{
    "dataType": "CVE_RECORD",
    "cveMetadata": {
        "state": "PUBLISHED",
        "cveId": "CVE-2019-17567",
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "dateUpdated": "2024-08-05T01:40:15.824Z",
        "dateReserved": "2019-10-14T00:00:00",
        "datePublished": "2021-06-10T07:10:19"
    },
    "containers": {
        "cna": {
            "title": "mod_proxy_wstunnel tunneling of non Upgraded connections",
            "providerMetadata": {
                "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
                "shortName": "apache",
                "dateUpdated": "2024-06-10T16:10:30.804307"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured."
                }
            ],
            "affected": [
                {
                    "vendor": "Apache Software Foundation",
                    "product": "Apache HTTP Server",
                    "versions": [
                        {
                            "version": "2.4.46",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.43",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.41",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.39",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.38",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.37",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.35",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.34",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.33",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.29",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.28",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.27",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.26",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.25",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.23",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.20",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.18",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.17",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.16",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.12",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.10",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.9",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.7",
                            "status": "affected"
                        },
                        {
                            "version": "2.4.6",
                            "status": "affected"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "http://httpd.apache.org/security/vulnerabilities_24.html"
                },
                {
                    "url": "https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E"
                },
                {
                    "name": "[httpd-announce] 20210609 CVE-2019-17567: mod_proxy_wstunnel tunneling of non Upgraded connections",
                    "tags": [
                        "mailing-list"
                    ],
                    "url": "https://lists.apache.org/thread.html/r90f693a5c9fb75550ef1412436d5e682a5f845beb427fa6f23419a3c%40%3Cannounce.httpd.apache.org%3E"
                },
                {
                    "name": "[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json",
                    "tags": [
                        "mailing-list"
                    ],
                    "url": "https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E"
                },
                {
                    "name": "[oss-security] 20210609 CVE-2019-17567: Apache httpd: mod_proxy_wstunnel tunneling of non Upgraded connections",
                    "tags": [
                        "mailing-list"
                    ],
                    "url": "http://www.openwall.com/lists/oss-security/2021/06/10/2"
                },
                {
                    "name": "GLSA-202107-38",
                    "tags": [
                        "vendor-advisory"
                    ],
                    "url": "https://security.gentoo.org/glsa/202107-38"
                },
                {
                    "name": "FEDORA-2021-dce7e7738e",
                    "tags": [
                        "vendor-advisory"
                    ],
                    "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"
                },
                {
                    "name": "FEDORA-2021-e3f6dd670d",
                    "tags": [
                        "vendor-advisory"
                    ],
                    "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"
                },
                {
                    "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
                },
                {
                    "url": "https://security.netapp.com/advisory/ntap-20210702-0001/"
                },
                {
                    "name": "[debian-lts-announce] 20240525 [SECURITY] [DLA 3818-1] apache2 security update",
                    "tags": [
                        "mailing-list"
                    ],
                    "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html"
                }
            ],
            "credits": [
                {
                    "lang": "en",
                    "value": "Reported by Mikhail Egorov (<0ang3el gmail.com>)"
                }
            ],
            "metrics": [
                {
                    "other": {
                        "content": {
                            "other": "moderate"
                        },
                        "type": "unknown"
                    }
                }
            ],
            "problemTypes": [
                {
                    "descriptions": [
                        {
                            "type": "text",
                            "lang": "en",
                            "description": "mod_proxy_wstunnel tunneling of non Upgraded connections"
                        }
                    ]
                }
            ],
            "x_generator": {
                "engine": "Vulnogram 0.0.9"
            },
            "source": {
                "discovery": "UNKNOWN"
            }
        },
        "adp": [
            {
                "providerMetadata": {
                    "orgId": "af854a3a-2127-422b-91ae-364da2661108",
                    "shortName": "CVE",
                    "dateUpdated": "2024-08-05T01:40:15.824Z"
                },
                "title": "CVE Program Container",
                "references": [
                    {
                        "url": "http://httpd.apache.org/security/vulnerabilities_24.html",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "name": "[httpd-announce] 20210609 CVE-2019-17567: mod_proxy_wstunnel tunneling of non Upgraded connections",
                        "tags": [
                            "mailing-list",
                            "x_transferred"
                        ],
                        "url": "https://lists.apache.org/thread.html/r90f693a5c9fb75550ef1412436d5e682a5f845beb427fa6f23419a3c%40%3Cannounce.httpd.apache.org%3E"
                    },
                    {
                        "name": "[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json",
                        "tags": [
                            "mailing-list",
                            "x_transferred"
                        ],
                        "url": "https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E"
                    },
                    {
                        "name": "[oss-security] 20210609 CVE-2019-17567: Apache httpd: mod_proxy_wstunnel tunneling of non Upgraded connections",
                        "tags": [
                            "mailing-list",
                            "x_transferred"
                        ],
                        "url": "http://www.openwall.com/lists/oss-security/2021/06/10/2"
                    },
                    {
                        "name": "GLSA-202107-38",
                        "tags": [
                            "vendor-advisory",
                            "x_transferred"
                        ],
                        "url": "https://security.gentoo.org/glsa/202107-38"
                    },
                    {
                        "name": "FEDORA-2021-dce7e7738e",
                        "tags": [
                            "vendor-advisory",
                            "x_transferred"
                        ],
                        "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"
                    },
                    {
                        "name": "FEDORA-2021-e3f6dd670d",
                        "tags": [
                            "vendor-advisory",
                            "x_transferred"
                        ],
                        "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"
                    },
                    {
                        "url": "https://www.oracle.com/security-alerts/cpuoct2021.html",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://security.netapp.com/advisory/ntap-20210702-0001/",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "name": "[debian-lts-announce] 20240525 [SECURITY] [DLA 3818-1] apache2 security update",
                        "tags": [
                            "mailing-list",
                            "x_transferred"
                        ],
                        "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html"
                    }
                ]
            }
        ]
    },
    "dataVersion": "5.1"
}