Access Control Flaw in Apache HTTP Server's mod_proxy_cluster
CVE-2024-10306

5.4MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 9; Red Hat Jboss Core Services
Vendor: CVE Published:; 23 April 2025

Summary

A vulnerability affecting Apache HTTP Server's mod_proxy_cluster arises from the incorrect use of the directive instead of the directive. As a result, the necessary IP/host access controls are not enforced, permitting any individual with access to the host to issue MCMP requests. This could lead to the unauthorized addition, removal, or updating of nodes in the load balancing setup. It is critical to restrict access to this host, as it should not be exposed to public networks.

References

https://access.redhat.com/security/cve/CVE-2024-10306

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2321302

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 23, 2025
Vulnerability Reserved
Oct 23, 2024