CVE-2022-31813

CRITICAL LAB

Apache HTTP Server < 2.4.54 - Data Authenticity Bypass

Title source: rule

Description

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.

Exploits (2)

nomisec SCANNER 1 stars

by dodiorne · poc

https://github.com/dodiorne/cve-2022-31813

View Code ZIP pw:eip

nomisec WORKING POC

by yiliufeng168 · poc

https://github.com/yiliufeng168/CVE-2022-31813

View Code ZIP pw:eip

References (6)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2022/06/08/8

[Vendor Advisory] https://httpd.apache.org/security/vulnerabilities_24.html

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/

[Third Party Advisory] https://security.gentoo.org/glsa/202208-20

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220624-0005/

Scores

CVSS v3 9.8

EPSS 0.0004

EPSS Percentile 13.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull httpd:2.4.53

https://github.com/dodiorne/cve-2022-31813

https://github.com/yiliufeng168/CVE-2022-31813

View in Library

Details

CWE

CWE-345 CWE-348

Status published

Products (4)

apache/http_server < 2.4.54

fedoraproject/fedora 35

fedoraproject/fedora 36

netapp/clustered_data_ontap

Published Jun 09, 2022

Tracked Since Feb 18, 2026