A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic.
Fixes

Solution

No solution given by the vendor.


Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

History

Tue, 01 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.4

Tue, 01 Jul 2025 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.4::appstream
Vendors & Products Redhat rhel Eus
References

Tue, 24 Jun 2025 06:45:00 +0000


Sat, 31 May 2025 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:9

Fri, 30 May 2025 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
References

Wed, 14 May 2025 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0
References

Wed, 23 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 23 Apr 2025 14:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 23 Apr 2025 10:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic.
Title Mod_proxy_cluster: mod_proxy_cluster unauthorized mcmp requests
First Time appeared Redhat
Redhat enterprise Linux
Redhat jboss Core Services
Weaknesses CWE-863
CPEs cpe:/a:redhat:jboss_core_services:1
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat jboss Core Services
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-09-26T06:28:52.442Z

Reserved: 2024-10-23T14:03:44.421Z

Link: CVE-2024-10306

cve-icon Vulnrichment

Updated: 2025-04-23T15:33:21.222Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-04-23T10:15:14.330

Modified: 2025-07-01T03:15:20.857

Link: CVE-2024-10306

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-02-28T00:00:00Z

Links: CVE-2024-10306 - Bugzilla

cve-icon OpenCVE Enrichment

No data.