Code Execution or Source Code Disclosure Vulnerability in Apache HTTP Server's mod_rewrite
CVE-2024-38475
Key Information:
- Vendor
Apache
- Status
- Vendor
- CVE Published:
- 1 July 2024
Badges
What is CVE-2024-38475?
CVE-2024-38475 is a significant vulnerability in the Apache HTTP Server, specifically affecting the mod_rewrite component in version 2.4.59 and earlier. This module plays a crucial role in managing URL manipulations, enabling users to create intuitive URLs for web navigation. The vulnerability arises from improper escaping of output, which could allow an attacker to manipulate URLs and gain unauthorized access to filesystem locations that should not be directly reachable. This flaw can lead to severe consequences for organizations, including unauthorized code execution and exposure of sensitive source code.
Technical Details
The vulnerability is characterized by flaws in how the Apache HTTP Server's mod_rewrite module processes substitutions involving backreferences or variables. Specifically, it fails to properly constrain user input when generating output, allowing attackers to create rewrite rules that could be exploited. Unsafe RewriteRules may be affected, and while there is an option to revert to a less secure state using the "UnsafePrefixStat" flag, it is essential for administrators to ensure that substitutions are properly constrained to mitigate risks.
Potential Impact of CVE-2024-38475
-
Code Execution: An attacker could execute arbitrary code on the server by exploiting the vulnerability, potentially leading to full system compromise and unauthorized control over the affected server.
-
Source Code Disclosure: The flaw may allow unauthorized users to access sensitive source code that is stored on the server, leading to intellectual property theft and increasing the risk of further attacks.
-
Service Disruption: Exploitation of the vulnerability could lead to instability of web services, resulting in downtime or performance issues that could affect user experience and lead to substantial financial losses for organizations relying on the affected servers.
CISA has reported CVE-2024-38475
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-38475 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Apache HTTP Server 2.4.0 <= 2.4.59
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
2 SonicWall Vulnerabilities Under Active Exploit
The vulnerabilities affect SonicWall's SMA devices for secure remote access, which have been heavily targeted by threat actors in the past.
3 weeks ago
PoC Published for Exploited SonicWall Vulnerabilities
PoC code targeting two exploited SonicWall vulnerabilities was published just CISA added them to the KEV catalog.
3 weeks ago
HackreadwatchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices
watchTowr reveals active exploitation of SonicWall SMA 100 vulnerabilities (CVE-2024-38475 & CVE-2023-44221) leading to full system takeover.
3 weeks ago
References
EPSS Score
92% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 📈
Vulnerability started trending
- 🦅
CISA Reported
- 📰
First article discovered by BleepingComputer
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved