Vulnerability Description
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | >= 2.4.0, < 2.4.60 |
| Netapp | Clustered Data Ontap | 9.0 |
Related Weaknesses (CWE)
References
- https://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
- https://security.netapp.com/advisory/ntap-20240712-0001/Third Party Advisory
- http://www.openwall.com/lists/oss-security/2024/07/01/7
- https://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
- https://security.netapp.com/advisory/ntap-20240712-0001/Third Party Advisory
FAQ
What is CVE-2024-38474?
CVE-2024-38474 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any U...
How severe is CVE-2024-38474?
CVE-2024-38474 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-38474?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Netapp Clustered Data Ontap.