CVE-2024-10306

EPSS 0.25%
Veröffentlicht 23.04.2025 09:59:49
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Mod_proxy_cluster: mod_proxy_cluster unauthorized mcmp requests

A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

CNA 8 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/modcluster/mod_proxy_cluster

≫

Paket mod_proxy_cluster

Default Statusunaffected

Version 1.3.17

Version < 1.3.21.Final

Status affected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 10

Default Statusaffected

Version 0:1.3.21-1.el10

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 10

Default Statusaffected

Version 0:1.3.22-1.el10_0.2

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 9

Default Statusaffected

Version 0:1.3.22-1.el9_5.2

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 9

Default Statusaffected

Version 0:1.3.22-1.el9_6.1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 9.4 Extended Update Support

Default Statusaffected

Version 0:1.3.22-1.el9_4.1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Core Services

Default Statusaffected

HerstellerRed Hat

≫

Produkt Red Hat JBoss Core Services

Default Statusaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.475

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://access.redhat.com/security/cve/CVE-2024-10306

https://bugzilla.redhat.com/show_bug.cgi?id=2321302

https://access.redhat.com/errata/RHBA-2025:5309

https://access.redhat.com/errata/RHBA-2025:2973

https://access.redhat.com/errata/RHSA-2025:9434

https://access.redhat.com/errata/RHSA-2025:9466

https://access.redhat.com/errata/RHSA-2025:9997

https://nvd.nist.gov/vuln/detail/CVE-2024-10306

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-10306

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-10306

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-10306