Upstream information
Description
A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
| CNA (Red Hat) | |
|---|---|
| Base Score | 5.4 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | Low |
| Integrity Impact | Low |
| Availability Impact | None |
| CVSSv3 Version | 3.1 |
SUSE Security Advisories:
- RHSA-2025:9434, published Thu Jun 26 15:06:53 UTC 2025
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| SUSE Liberty Linux 9 |
| Patchnames: RHSA-2025:9434 |
SUSE Timeline for this CVE
CVE page created: Wed Apr 23 12:01:23 2025CVE page last modified: Thu Jun 26 20:05:51 2025