Apache HTTP Server Vulnerable to Information Disclosure and Local Script Execution

CVE-2024-38476

9.8CRITICAL

Key Information

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 1 July 2024

Summary

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Affected Version(s)

Apache HTTP Server <= 2.4.59

EPSS Score

1% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jul 1, 2024
Vulnerability Reserved.
Jun 17, 2024
reported
Apr 1, 2024

Collectors

NVD DatabaseMitre Database

Credit

Orange Tsai (@orange_8361) from DEVCORE