Apache HTTP Server Vulnerable to Information Disclosure and Local Script Execution
CVE-2024-38476

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 1 July 2024

What is CVE-2024-38476?

A vulnerability exists in the core functionality of Apache HTTP Server versions 2.4.59 and earlier, which can lead to information disclosure and unauthorized access through server-side request forgery (SSRF) and local script execution. This arises from the improper handling of backend application response headers that may be maliciously crafted. To mitigate these risks, users should upgrade to version 2.4.60 or later, which addresses these security concerns effectively.

Affected Version(s)

Apache HTTP Server 2.4.0 <= 2.4.59

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

https://security.netapp.com/advisory/ntap-20240712-0001/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 1, 2024
Vulnerability Reserved
Jun 17, 2024

Credit

Orange Tsai (@orange_8361) from DEVCORE