Description

The Apache balancer-manager application displays the current working configuration and status of the enabled balancers and workers currently in use. However, not only does it display these parameters, it also allows for dynamic, runtime, on-the-fly reconfiguration of almost all of them, including adding new BalancerMembers (workers) to an existing balancer.

Remediation

Restrict access to balancer-manager application.

References

Reverse Proxy Guide

Related Vulnerabilities

WordPress Plugin Backup Migration Information Disclosure (1.2.8)

WordPress Plugin Service Finder-Provider and Business Listing Local File Disclosure (3.0)

Unrestricted access to Caddy API interface

Gitlab user disclosure

Drupal 7 arbitrary PHP code execution and information disclosure

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Insecure Admin Access Information Disclosure