Substitution Encoding Issue in mod_rewrite Allows Execution of Scripts in Directories

CVE-2024-38474

9.8CRITICAL

Key Information

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 1 July 2024

Summary

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

Affected Version(s)

Apache HTTP Server <= 2.4.59

EPSS Score

3% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jul 1, 2024
Vulnerability Reserved.
Jun 17, 2024
reported
Apr 1, 2024

Collectors

NVD DatabaseMitre Database

Credit

Orange Tsai (@orange_8361) from DEVCORE