Login Sign Up

CVE-2024-10306

5.4 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in mod_proxy_cluster allows unauthorized access to MCMP (Mod-Cluster Management Protocol) endpoints due to incorrect use of the <Directory> directive instead of <Location>. Attackers with network access to the host could add, remove, or update load balancing nodes, potentially disrupting service availability. Only systems using mod_proxy_cluster with the vulnerable configuration are affected.

💻 Affected Systems

Products:
  • mod_proxy_cluster
  • Apache HTTP Server with mod_proxy_cluster module
  • Red Hat JBoss Web Server
  • Red Hat JBoss Core Services
Versions: Specific versions not provided in CVE description; check Red Hat advisories for affected versions
Operating Systems: Linux distributions with affected packages
Default Config Vulnerable: ✅ No
Notes: Only affects configurations using <Directory> directive with Require ip restrictions for MCMP endpoints. The vulnerability exists because <Directory> doesn't properly restrict access as intended.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could manipulate the load balancer configuration to redirect all traffic to malicious servers, causing complete service disruption, data interception, or denial of service.

🟠

Likely Case

Unauthorized modification of load balancing nodes leading to service degradation, incorrect traffic routing, or temporary service outages.

🟢

If Mitigated

Minimal impact if the host is properly isolated from untrusted networks and access controls are correctly implemented.

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the host running mod_proxy_cluster. No authentication is needed if the vulnerable configuration is present.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check specific Red Hat advisories for patched versions

Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:9434

Restart Required: Yes

Instructions:

1. Apply the appropriate Red Hat security update for your system. 2. Replace <Directory> directives with <Location> directives in mod_proxy_cluster configuration. 3. Restart Apache HTTP Server or relevant service.

🔧 Temporary Workarounds

Replace Directory with Location Directive

linux

Manually update Apache configuration to use <Location> instead of <Directory> for MCMP endpoint restrictions

# Edit Apache configuration file
# Change: <Directory "/mod_cluster-manager">
# To: <Location "/mod_cluster-manager">
# Ensure proper Require ip directives are maintained

Network Isolation

linux

Restrict network access to the mod_proxy_cluster host using firewall rules

# Example iptables rule to restrict access
iptables -A INPUT -p tcp --dport <MCMP_PORT> -s <TRUSTED_IP> -j ACCEPT
iptables -A INPUT -p tcp --dport <MCMP_PORT> -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to isolate the mod_proxy_cluster host from untrusted networks
  • Monitor MCMP endpoint access logs for unauthorized connection attempts

🔍 How to Verify

Check if Vulnerable:

Check Apache configuration files for <Directory> directives applied to mod_cluster-manager or similar MCMP endpoints instead of <Location> directives

Check Version:

httpd -v | grep 'Server version' && rpm -qa | grep -i mod_proxy_cluster

Verify Fix Applied:

Verify configuration files now use <Location> directives for MCMP endpoints and test that unauthorized access is properly blocked

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to /mod_cluster-manager endpoints
  • Unexpected MCMP protocol messages from untrusted sources
  • Changes to load balancer node configuration without authorized changes

Network Indicators:

  • Traffic to MCMP ports from unauthorized IP addresses
  • Unexpected MCMP protocol traffic patterns

SIEM Query:

source="apache_access.log" AND (uri_path="/mod_cluster-manager" OR user_agent="MCMP") AND src_ip NOT IN [trusted_ip_list]

📊 Metadata

CVE ID: CVE-2024-10306
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-863
EPSS Score: 0.09% exploit probability (25th percentile)
Published: April 23, 2025
Last Updated: July 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10306, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)