The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.
2011-10-05T22:55:02.643
2025-04-11T00:51:21.963
Deferred
CVSSv2: 5.0 (MEDIUM)
AV:N/AC:L/Au:N/C:P/I:N/A:N
10.0
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | apache | http_server | 1.3 | Yes |
| Application | apache | http_server | 1.3.0 | Yes |
| Application | apache | http_server | 1.3.1 | Yes |
| Application | apache | http_server | 1.3.1.1 | Yes |
| Application | apache | http_server | 1.3.2 | Yes |
| Application | apache | http_server | 1.3.3 | Yes |
| Application | apache | http_server | 1.3.4 | Yes |
| Application | apache | http_server | 1.3.5 | Yes |
| Application | apache | http_server | 1.3.6 | Yes |
| Application | apache | http_server | 1.3.7 | Yes |
| Application | apache | http_server | 1.3.8 | Yes |
| Application | apache | http_server | 1.3.9 | Yes |
| Application | apache | http_server | 1.3.10 | Yes |
| Application | apache | http_server | 1.3.11 | Yes |
| Application | apache | http_server | 1.3.12 | Yes |
| Application | apache | http_server | 1.3.13 | Yes |
| Application | apache | http_server | 1.3.14 | Yes |
| Application | apache | http_server | 1.3.15 | Yes |
| Application | apache | http_server | 1.3.16 | Yes |
| Application | apache | http_server | 1.3.17 | Yes |
| Application | apache | http_server | 1.3.18 | Yes |
| Application | apache | http_server | 1.3.19 | Yes |
| Application | apache | http_server | 1.3.20 | Yes |
| Application | apache | http_server | 1.3.22 | Yes |
| Application | apache | http_server | 1.3.23 | Yes |
| Application | apache | http_server | 1.3.24 | Yes |
| Application | apache | http_server | 1.3.25 | Yes |
| Application | apache | http_server | 1.3.26 | Yes |
| Application | apache | http_server | 1.3.27 | Yes |
| Application | apache | http_server | 1.3.28 | Yes |
| Application | apache | http_server | 1.3.29 | Yes |
| Application | apache | http_server | 1.3.30 | Yes |
| Application | apache | http_server | 1.3.31 | Yes |
| Application | apache | http_server | 1.3.32 | Yes |
| Application | apache | http_server | 1.3.33 | Yes |
| Application | apache | http_server | 1.3.34 | Yes |
| Application | apache | http_server | 1.3.35 | Yes |
| Application | apache | http_server | 1.3.36 | Yes |
| Application | apache | http_server | 1.3.37 | Yes |
| Application | apache | http_server | 1.3.38 | Yes |
| Application | apache | http_server | 1.3.39 | Yes |
| Application | apache | http_server | 1.3.41 | Yes |
| Application | apache | http_server | 1.3.42 | Yes |
| Application | apache | http_server | 1.3.65 | Yes |
| Application | apache | http_server | 1.3.68 | Yes |
| Application | apache | http_server | 2.0 | Yes |
| Application | apache | http_server | 2.0.9 | Yes |
| Application | apache | http_server | 2.0.28 | Yes |
| Application | apache | http_server | 2.0.28 | Yes |
| Application | apache | http_server | 2.0.32 | Yes |
| Application | apache | http_server | 2.0.32 | Yes |
| Application | apache | http_server | 2.0.34 | Yes |
| Application | apache | http_server | 2.0.35 | Yes |
| Application | apache | http_server | 2.0.36 | Yes |
| Application | apache | http_server | 2.0.37 | Yes |
| Application | apache | http_server | 2.0.38 | Yes |
| Application | apache | http_server | 2.0.39 | Yes |
| Application | apache | http_server | 2.0.40 | Yes |
| Application | apache | http_server | 2.0.41 | Yes |
| Application | apache | http_server | 2.0.42 | Yes |
| Application | apache | http_server | 2.0.43 | Yes |
| Application | apache | http_server | 2.0.44 | Yes |
| Application | apache | http_server | 2.0.45 | Yes |
| Application | apache | http_server | 2.0.46 | Yes |
| Application | apache | http_server | 2.0.47 | Yes |
| Application | apache | http_server | 2.0.48 | Yes |
| Application | apache | http_server | 2.0.49 | Yes |
| Application | apache | http_server | 2.0.50 | Yes |
| Application | apache | http_server | 2.0.51 | Yes |
| Application | apache | http_server | 2.0.52 | Yes |
| Application | apache | http_server | 2.0.53 | Yes |
| Application | apache | http_server | 2.0.54 | Yes |
| Application | apache | http_server | 2.0.55 | Yes |
| Application | apache | http_server | 2.0.56 | Yes |
| Application | apache | http_server | 2.0.57 | Yes |
| Application | apache | http_server | 2.0.58 | Yes |
| Application | apache | http_server | 2.0.59 | Yes |
| Application | apache | http_server | 2.0.60 | Yes |
| Application | apache | http_server | 2.0.61 | Yes |
| Application | apache | http_server | 2.0.63 | Yes |
| Application | apache | http_server | 2.0.64 | Yes |
| Application | apache | http_server | 2.2.0 | Yes |
| Application | apache | http_server | 2.2.1 | Yes |
| Application | apache | http_server | 2.2.2 | Yes |
| Application | apache | http_server | 2.2.3 | Yes |
| Application | apache | http_server | 2.2.4 | Yes |
| Application | apache | http_server | 2.2.6 | Yes |
| Application | apache | http_server | 2.2.8 | Yes |
| Application | apache | http_server | 2.2.9 | Yes |
| Application | apache | http_server | 2.2.10 | Yes |
| Application | apache | http_server | 2.2.11 | Yes |
| Application | apache | http_server | 2.2.12 | Yes |
| Application | apache | http_server | 2.2.13 | Yes |
| Application | apache | http_server | 2.2.14 | Yes |
| Application | apache | http_server | 2.2.15 | Yes |
| Application | apache | http_server | 2.2.16 | Yes |
| Application | apache | http_server | 2.2.18 | Yes |
| Application | apache | http_server | 2.2.19 | Yes |
| Application | apache | http_server | 2.2.20 | Yes |
| Application | apache | http_server | 2.2.21 | Yes |