CVE-2024-10306

Published: Apr 23, 2025Modified: Jul 1, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: secalert@redhat.com (Secondary)

Description

A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic.

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (7)

https://access.redhat.com/errata/RHBA-2025:2973

Source: secalert@redhat.com

https://access.redhat.com/errata/RHBA-2025:5309

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:9434

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:9466

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:9997

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2024-10306

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2321302

Source: secalert@redhat.com

Timeline

No history available yet.