CVE-2024-38474

EPSS 0.59%
Published 01.07.2024 19:15:04
Last modified 25.03.2025 19:15:43
Source security@apache.org
Teams watchlist Login
Open Login

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in
directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.

Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ HTTP Server Version >= 2.4.0 < 2.4.60

Netapp ≫ Clustered Data Ontap Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.59%	0.682

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

https://httpd.apache.org/security/vulnerabilities_24.html

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240712-0001/

Third Party Advisory

http://www.openwall.com/lists/oss-security/2024/07/01/7

https://nvd.nist.gov/vuln/detail/CVE-2024-38474

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-38474

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-38474

EUVD