CVE-2024-10306 MEDIUM

CVE-2024-10306: Mod_proxy_cluster: mod_proxy_cluster unauthorized mcmp requests

Vendor Red Hat

Product Red Hat JBoss Core Services

Weakness CWE-863 · Incorrect authorization

Published April 23, 2025

Last update November 8, 2025

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means that anyone with access to the host might send MCMP requests that may result in adding/removing/updating nodes for the balancing. However, this host should not be accessible to the public network as it does not serve the general traffic.

Key dates

02Disclosure timeline

April 23, 2025 CVE published

November 8, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-10306 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

Identifiers

CVE CVE-2024-10306

CWE CWE-863

CVSS 5.4 / MEDIUM

Affected versions

Vendor Red Hat

Product Red Hat JBoss Core Services

Affected All versions

Vendor Red Hat

Product Red Hat JBoss Core Services

Affected All versions

CVE-2024-10306: Mod_proxy_cluster: mod_proxy_cluster unauthorized mcmp requests

01Description

02Disclosure timeline

03References

04Related CVE