Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2011-3368 — Improper Input Validation in Apache Http Server
Severity
5.0MEDIUMNVD
EPSS
79.1%
top 0.93%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedOct 5
Latest updateMay 13
Description
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.
CVSS vector
AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9
Affected Packages1 packages
Patches
🔴Vulnerability Details
3💥Exploits & PoCs
1📋Vendor Advisories
5Red Hat
▶
Debian▶
CVE-2011-3368: apache2 - The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x throu...↗2011
💬Community
5Bugzilla▶
CVE-2011-3368 CVE-2012-0053 CVE-2012-0031 CVE-2012-0021 CVE-2011-3607 httpd: multiple vulnerabilities [fedora-all]↗2012-01-27
Bugzilla▶
CVE-2011-4317 httpd: uri scheme bypass of the reverse proxy vulnerability CVE-2011-3368 fix↗2011-11-23
Bugzilla▶
CVE-2011-3639 httpd: http 0.9 request bypass of the reverse proxy vulnerability CVE-2011-3368 fix↗2011-11-08