Substitution Encoding Issue in mod_rewrite Allows Execution of Scripts in Directories
CVE-2024-38474

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 1 July 2024

Summary

A substitution encoding issue exists in mod_rewrite for Apache HTTP Server versions 2.4.59 and earlier, which may allow an attacker to execute scripts in directories that are permitted by the server configuration but are not directly accessible through any URL. This vulnerability can lead to the unauthorized disclosure of scripts that are intended to be executed only as CGI. To mitigate this issue, users should upgrade to Apache HTTP Server version 2.4.60 or later. In addition, certain RewriteRules that would capture and substitute unsafely will be prohibited unless the rewrite flag 'UnsafeAllow3F' is specified.

Affected Version(s)

Apache HTTP Server 2.4.0 <= 2.4.59

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

https://security.netapp.com/advisory/ntap-20240712-0001/

EPSS Score

3% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 1, 2024
Vulnerability Reserved
Jun 17, 2024

Collectors

NVD DatabaseMitre Database

Credit

Orange Tsai (@orange_8361) from DEVCORE