vulnerability

Oracle Linux: CVE-2024-10306: ELBA-2025-5309: mod_proxy_cluster bug fix and enhancement update (MODERATE) (Multiple Advisories)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:S/C:P/I:P/A:N)	Feb 28, 2025	Jun 30, 2025	Jul 16, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:P/A:N)

Published

Feb 28, 2025

Added

Jun 30, 2025

Modified

Jul 16, 2025

Description

A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic.

Solution

oracle-linux-upgrade-mod-proxy-cluster

References

CVE-2024-10306
https://attackerkb.com/topics/CVE-2024-10306
ELSA-ELSA-2025-9434
ELSA-ELSA-2025-9466
CWE-863

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today