CVE-2019-17567 — apache2 - security update

Description

Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.

How to fix CVE-2019-17567

To remediate CVE-2019-17567, upgrade the affected package to a fixed version below.

—upgrade to 2.4.48-2 or later
—upgrade to 2.4.59-1~deb10u1 or later

Is CVE-2019-17567 being exploited?

Moderate — EPSS is 8.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 2.4.48-2
from 0, < 2.4.59-1~deb10u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-17567