Crafted Requests Can Bypass Authentication in Apache HTTP Server's mod_proxy
CVE-2024-38473

8.1HIGH

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 1 July 2024

Summary

An encoding issue has been identified in the mod_proxy module of Apache HTTP Server versions up to 2.4.59. This flaw permits the transmission of request URLs with incorrect encoding to backend services, which could potentially allow malicious actors to bypass authentication mechanisms through specially crafted requests. It is strongly advised that users update to version 2.4.60 or later, where this vulnerability has been addressed. Staying informed about this issue is crucial for maintaining security and operational integrity.

Affected Version(s)

Apache HTTP Server 2.4.0 <= 2.4.59

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

https://security.netapp.com/advisory/ntap-20240712-0001/

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 1, 2024
Vulnerability Reserved
Jun 17, 2024

Credit

Orange Tsai (@orange_8361) from DEVCORE