Null Pointer Dereference in Apache HTTP Server Leading to Server Crash
CVE-2024-38477

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 1 July 2024

What is CVE-2024-38477?

A null pointer dereference vulnerability has been identified in the Apache HTTP Server, specifically in mod_proxy. This security flaw, present in versions 2.4.59 and earlier, can be exploited by an attacker through a specially crafted request. Successful exploitation can cause the server to crash, resulting in downtime and potential data loss. To ensure security and stability, it is strongly recommended for users to upgrade to version 2.4.60, which addresses this issue. For further details, please refer to the official Apache advisory.

Affected Version(s)

Apache HTTP Server 2.4.0 <= 2.4.59

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

https://security.netapp.com/advisory/ntap-20240712-0001/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 1, 2024
Vulnerability Reserved
Jun 17, 2024

Credit

Orange Tsai (@orange_8361) from DEVCORE