Apache 2

The Nessus plugin maps to CVE-2022-31813 in mod_proxy. Apache HTTP Server 2.4.0 through 2.4.53 can drop X-Forwarded-* headers when a client abuses the HTTP Connection hop-by-hop mechanism, and the fix landed in 2.4.54. The bug matters when Apache is acting as a reverse proxy and the backend application makes security decisions from forwarded client-IP or host headers.

The scary part is the scanner/NVD label, not the real-world attack path. Apache itself rated this issue low, and that is closer to reality than NVD's 9.8, because exploitation is heavily configuration-dependent: you need a vulnerable Apache reverse proxy, a reachable proxied route, and a backend that incorrectly trusts missing or rewritten forwarding headers for IP-based access control. That is still worth fixing, but it is nowhere near a generic unauthenticated full-stack compromise.

Why this verdict

• Config chain required: vulnerable Apache alone is not enough; you also need reverse proxying and a backend that trusts X-Forwarded-* for access control.
• Attacker position is narrower than CVSS implies: this is network-reachable, but only against the subset of hosts fronting the right kind of backend workflow.
• Blast radius is usually route-level, not host-level: the common outcome is access to IP-gated pages or APIs, not shell on the proxy.
• Population is overstated by scanners: Nessus 193421 is a version check and does not validate mod_proxy usage, proxy rules, or backend trust behavior.
• Threat intel is quiet: no KEV listing and low EPSS are both downward pressure on urgency.

Why not higher?

There is no generic unauthenticated RCE, no memory corruption, and no evidence of broad active exploitation. Most importantly, the vulnerability depends on a second design flaw in the backend trust model, so the reachable victim pool is far smaller than 'all Apache 2.4.53 and earlier' suggests.

Why not lower?

When the preconditions line up, this is still a real access-control bypass on internet-facing infrastructure. Enterprises do have legacy admin panels, API gates, and localhost/proxy allowlists behind Apache, so dismissing it as pure hygiene would miss the subset where the impact is serious.

1. Audit reverse-proxy trust paths — Identify Apache hosts that proxy to apps making auth or ACL decisions from X-Forwarded-*, REMOTE_ADDR, or 'trusted proxy/localhost' assumptions. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this review should happen in the next normal change cycle so you can separate noisy version hits from real risk.
2. Enforce auth at the application layer — Replace IP-only backend protections with real authentication and authorization where possible. This removes the trust amplifier that makes the bug matter and is the most durable compensating control while you work through the patch within the 365-day remediation window.
3. Normalize or drop suspicious hop-by-hop headers at the edge — Strip or reject client-supplied Connection values that name X-Forwarded-* headers on upstream load balancers, CDNs, or WAFs. This is a solid temporary guardrail for exposed reverse proxies even though there is no noisgate mitigation SLA for a MEDIUM finding.
4. Log and alert on header abuse — Add detections for requests where Connection references X-Forwarded-For, X-Forwarded-Host, or X-Forwarded-Proto. This will not fix the bug, but it gives you high-signal hunting coverage for attempted exploitation while remediation proceeds.

Run this on the target Apache host with local shell access. Invoke it as sudo bash check_cve_2022_31813.sh /etc/httpd /etc/apache2; it needs privileges only to read Apache configs and execute apachectl/httpd module listing.

#!/usr/bin/env bash
# check_cve_2022_31813.sh
# Purpose: Assess likely exposure to CVE-2022-31813 on an Apache host.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

CONFIG_HINTS=("$@")
if [ ${#CONFIG_HINTS[@]} -eq 0 ]; then
  CONFIG_HINTS=(/etc/httpd /etc/apache2 /usr/local/apache2/conf)
fi

APACHECTL=""
for c in apachectl apache2ctl; do
  if command -v "$c" >/dev/null 2>&1; then
    APACHECTL="$(command -v "$c")"
    break
  fi
done

HTTPD_BIN=""
for b in httpd apache2; do
  if command -v "$b" >/dev/null 2>&1; then
    HTTPD_BIN="$(command -v "$b")"
    break
  fi
done

if [ -z "$APACHECTL" ] && [ -z "$HTTPD_BIN" ]; then
  echo "UNKNOWN - Apache control binary not found"
  exit 2
fi

get_version() {
  local out=""
  if [ -n "$HTTPD_BIN" ]; then
    out="$($HTTPD_BIN -v 2>/dev/null || true)"
  fi
  if [ -z "$out" ] && [ -n "$APACHECTL" ]; then
    out="$($APACHECTL -v 2>/dev/null || true)"
  fi
  echo "$out" | sed -n 's/^Server version: .*\/\([0-9][0-9.]*\).*/\1/p' | head -n1
}

ver_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ] && return 1
  [ "$1" = "$2" ] && return 1
  return 0
}

VERSION="$(get_version)"
if [ -z "$VERSION" ]; then
  echo "UNKNOWN - Unable to determine Apache version"
  exit 2
fi

# Upstream fixed in 2.4.54, but distro backports may patch older-looking versions.
# If the package version is >= 2.4.54, treat as patched.
if ! ver_lt "$VERSION" "2.4.54"; then
  echo "PATCHED - Apache version $VERSION is >= 2.4.54"
  exit 0
fi

MODULES=""
if [ -n "$APACHECTL" ]; then
  MODULES="$($APACHECTL -M 2>/dev/null || true)"
fi
if [ -z "$MODULES" ] && [ -n "$HTTPD_BIN" ]; then
  MODULES="$($HTTPD_BIN -M 2>/dev/null || true)"
fi

if [ -z "$MODULES" ]; then
  echo "UNKNOWN - Apache version $VERSION is old, but loaded modules could not be inspected"
  exit 2
fi

if ! echo "$MODULES" | grep -Eqi 'proxy(_http|_fcgi|_ajp|_wstunnel)?_module|proxy_module'; then
  echo "UNKNOWN - Apache version $VERSION is old, but mod_proxy does not appear to be loaded"
  exit 2
fi

CONFIG_FILES=()
for p in "${CONFIG_HINTS[@]}"; do
  if [ -d "$p" ]; then
    while IFS= read -r -d '' f; do
      CONFIG_FILES+=("$f")
    done < <(find "$p" -type f \( -name '*.conf' -o -name 'httpd.conf' -o -name 'apache2.conf' -o -name '*.load' \) -print0 2>/dev/null)
  elif [ -f "$p" ]; then
    CONFIG_FILES+=("$p")
  fi
done

if [ ${#CONFIG_FILES[@]} -eq 0 ]; then
  echo "UNKNOWN - Apache version $VERSION is old and mod_proxy is loaded, but no configs were found"
  exit 2
fi

if grep -EHiq '(^|[^#])(ProxyPass|ProxyPassMatch|RewriteRule.+\[P\]|SetHandler\s+"?proxy:|BalancerMember)' "${CONFIG_FILES[@]}" 2>/dev/null; then
  echo "VULNERABLE - Apache version $VERSION is < 2.4.54, mod_proxy is loaded, and reverse-proxy directives were found"
  exit 1
fi

echo "UNKNOWN - Apache version $VERSION is old and mod_proxy is loaded, but no reverse-proxy directives were found"
exit 2

Sources

1. Tenable plugin 193421
2. Apache HTTP Server 2.4 vulnerabilities advisory
3. NVD CVE-2022-31813
4. CVE.org record
5. Synacktiv technical write-up
6. Ubuntu security tracker
7. Debian security tracker
8. Wiz vulnerability database entry