Apache HTTP Server Vulnerable to Information Disclosure and Local Script Execution
CVE-2024-38476

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 1 July 2024

Summary

A vulnerability exists in the core functionality of Apache HTTP Server versions 2.4.59 and earlier, which can lead to information disclosure and unauthorized access through server-side request forgery (SSRF) and local script execution. This arises from the improper handling of backend application response headers that may be maliciously crafted. To mitigate these risks, users should upgrade to version 2.4.60 or later, which addresses these security concerns effectively.

Affected Version(s)

Apache HTTP Server 2.4.0 <= 2.4.59

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

https://security.netapp.com/advisory/ntap-20240712-0001/

EPSS Score

1% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 1, 2024
Vulnerability Reserved
Jun 17, 2024

Collectors

NVD DatabaseMitre Database

Credit

Orange Tsai (@orange_8361) from DEVCORE