FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-38474

Improper Encoding or Escaping of Output (CWE-116)

Published: Jul 1, 2024 / Updated: 4mo ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

A substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL, or cause source disclosure of scripts meant to only be executed as CGI. This vulnerability is related to improper encoding or escaping of output.

Impact

This vulnerability could lead to unauthorized script execution in restricted directories or the disclosure of sensitive source code. Attackers could potentially exploit this to run malicious scripts or access confidential information, bypassing intended access restrictions. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), with high impacts on confidentiality, integrity, and availability. It requires no privileges or user interaction and can be exploited over the network with low attack complexity. This indicates that the vulnerability is extremely severe and should be given high priority for patching.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Users are recommended to upgrade to Apache HTTP Server version 2.4.60, which fixes this issue.

Mitigation

Upgrade to Apache HTTP Server version 2.4.60. If immediate upgrading is not possible, review and adjust RewriteRules that capture and substitute unsafely. Note that some RewriteRules will now fail unless the rewrite flag "UnsafeAllow3F" is specified. Carefully evaluate the need for this flag, as it may reintroduce the vulnerability. Additionally, monitor for any suspicious activities related to script execution or unauthorized access to restricted directories.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-38474. See article

Jul 1, 2024 at 2:19 PM / Open Source Security
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 1, 2024 at 2:19 PM
Trending

This CVE started to trend in security discussions

Jul 1, 2024 at 6:37 PM
CVE Assignment

NVD published the first details for CVE-2024-38474

Jul 1, 2024 at 7:15 PM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-38474).

Jul 1, 2024 at 9:51 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (201198)

Jul 1, 2024 at 11:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (513828)

Jul 2, 2024 at 5:15 AM
Threat Intelligence Report

The vulnerability CVE-2024-38474 in Apache HTTP Server allows for exploitation through encoded question marks in backreferences, posing a critical risk to affected systems. As of now, there are no known proof-of-concept exploits, but organizations should apply patches or mitigations provided by the vendor to prevent potential attacks. Downstream impacts to third-party vendors or technologies may occur if they rely on the vulnerable Apache HTTP Server version. See article

Jul 2, 2024 at 8:29 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.2%)

Jul 2, 2024 at 10:01 AM
Static CVE Timeline Graph

Affected Systems

Netapp/clustered_data_ontap
+null more

Patches

bugzilla.redhat.com
+null more

Attack Patterns

CAPEC-104: Cross Zone Scripting
+null more

Vendor Advisory

CVE-2024-38474
Red Hat CVE Database / 4mo
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in CWE-116: Improper Encoding or Escaping of Output

References

July 2024 Apache HTTP Server Vulnerabilities in NetApp Products
NetApp Security Advisories / 4mo
Management Services for Element Software and NetApp HCI NetApp HCI Baseboard Management Controller (BMC) - H410C
Apache HTTP Server 2.4 vulnerabilities
Welcome! - The Apache HTTP Server Project / 4mo
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in
Security Bulletin: IBM Aspera Console has addressed multiple vulnerabilities (CVE-2024-38477, CVE-2021-38963, CVE-2024-38475, CVE-2024-38474)
IBM - United States / 56d
DESCRIPTION: IBM Aspera Console could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. DESCRIPTION: Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by a substitution encoding issue in mod_rewrite.
See 9 more references

News

Xerox® Security Bulletin XRX24-016 for Xerox®FreeFlow® Print Server v9
Security Bulletins for Xerox Products / 15h
Deliverable: July 2024 Security Patch Cluster Includes: Apache HTTP 2.4.62 and Apache Tomcat 8.5.100, OpenSSL 1.0.2zj, OpenSSH 1.1.9 Bulletin Date: November 14, 2024 1.0 Background Oracle® delivers quarterly Critical Patch Updates (CPU) to address US-CERT Security vulnerabilities and reliability improvements for the Solaris Operating System. Xerox Security Bulletin XRX24-016 Xerox® FreeFlow® Print Server v9 For: Solaris® 10 Operating System Install Method: DVD/USB Media
Oracle Linux 9 : httpd (ELSA-2024-9306)
Newest Nessus Plugins from Tenable / 18h
Nessus Plugin ID 211533 with High Severity Synopsis The remote Oracle Linux host is missing one or more security updates. Description The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-9306 advisory. - Resolves: RHEL-52724 - Regression introduced by CVE-2024-38474 fix - Resolves: RHEL-31856 - httpd: HTTP response splitting (CVE-2023-38709) - Resolves: RHEL-31859 - httpd: HTTP Response Splitting in multiple modules (CVE-2024-24795) - Resolves: RHEL-14447 - httpd: mod_macro:
KRB5, Libtiff, XMLRPC-C, and more updates for Oracle
Linux Compatible / 13d
- cifs: fix set of group SID via NTSD xattrs (Paulo Alcantara) [RHEL-56052] - cifs: do not use uninitialized data in the owner/group sid (Paulo Alcantara) [RHEL-56052]
minektur/rhel8-cve-eratta-checker: This is a command line tool takes a CVE on the command line, uses some magic screen scraping to find a URL to Red Hat's rhel8 eratta posting about patching the CVE
GitHub / 19d
Since I often have a hyperventilating security team (OK, I'm the security team too...) asking about these vulnerabilities, it's nice to be able to take a list of CVEs and verify that Red Hat has actually patched the, or in some other way declared that our server is not vulnerable. This tool will do some magic search/screen-scraping to find RHEL's relese erratta URLs for specific vulnerabilities (by CVE ID).
Multiple vulnerabilities in IBM Cloud Pak System
Security feed from CyberSecurity Help / 20d
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability. The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
See 212 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 9.8(27010)CWE-116(280)Netapp(2342)Apache(2568)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial