Substitution Encoding Issue in mod_rewrite Allows Execution of Scripts in Directories
CVE-2024-38474

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 1 July 2024

What is CVE-2024-38474?

A substitution encoding issue exists in mod_rewrite for Apache HTTP Server versions 2.4.59 and earlier, which may allow an attacker to execute scripts in directories that are permitted by the server configuration but are not directly accessible through any URL. This vulnerability can lead to the unauthorized disclosure of scripts that are intended to be executed only as CGI. To mitigate this issue, users should upgrade to Apache HTTP Server version 2.4.60 or later. In addition, certain RewriteRules that would capture and substitute unsafely will be prohibited unless the rewrite flag 'UnsafeAllow3F' is specified.

Affected Version(s)

Apache HTTP Server 2.4.0 <= 2.4.59

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

https://security.netapp.com/advisory/ntap-20240712-0001/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 1, 2024
Vulnerability Reserved
Jun 17, 2024

Credit

Orange Tsai (@orange_8361) from DEVCORE