CVE-2024-10306: 
Rocky Linux vulnerability analysis and mitigation

A vulnerability was found in modproxycluster (CVE-2024-10306) where the directive implementation does not properly restrict IP/host access as intended. The vulnerability was disclosed on April 23, 2025, affecting the modproxycluster component (NVD, Red Hat).

The vulnerability stems from an incorrect implementation where the Require ip IP_ADDRESS directive does not effectively restrict IP/host access as expected. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified under CWE-863 (Incorrect Authorization) (NVD).

When exploited, this vulnerability allows anyone with access to the host to send MCMP (Mod-Cluster Management Protocol) requests that can result in adding, removing, or updating nodes for the balancing system. While the affected host should not be accessible from public networks as it doesn't serve general traffic, the impact could be significant if access is obtained (Red Hat Bugzilla).

The primary mitigation strategy involves ensuring that the host running modproxycluster is not accessible from public networks, as it is not intended to serve general traffic. The directive should be replaced with a properly implemented access control mechanism (Red Hat Bugzilla).