Exploit
CVE-2024-38475

Improper Encoding or Escaping of Output (CWE-116)

Published: Jul 1, 2024 / Updated: 4mo ago

010
CVSS 9.1EPSS 0.04%Critical
CVE info copied to clipboard

Summary

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

Impact

This vulnerability allows attackers to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally or directly reachable by any URL. This can result in code execution or source code disclosure. The vulnerability has a CVSS v3.1 base score of 9.1 (HIGH), with high impact on confidentiality and integrity, but no impact on availability. The attack vector is network-based, requires low attack complexity, no privileges, and no user interaction. This indicates that the vulnerability is relatively easy to exploit and can have severe consequences for affected systems.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Users are recommended to upgrade to Apache HTTP Server version 2.4.60, which fixes this issue.

Mitigation

1. Upgrade to Apache HTTP Server version 2.4.60 or later as soon as possible. 2. If immediate upgrading is not feasible, use the rewrite flag "UnsafePrefixStat" as a temporary measure. This allows opting back into the previous behavior, but only after ensuring the substitution is appropriately constrained. 3. Review and audit all RewriteRules, especially those using backreferences or variables as the first segment of the substitution in server context. 4. Implement network segmentation and access controls to limit exposure of affected servers. 5. Monitor systems for unusual activities or unauthorized access attempts. 6. Keep systems and software up to date with the latest security patches.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-38475. See article

Jul 1, 2024 at 2:19 PM / Open Source Security
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jul 1, 2024 at 2:19 PM
Trending

This CVE started to trend in security discussions

Jul 1, 2024 at 6:37 PM
CVE Assignment

NVD published the first details for CVE-2024-38475

Jul 1, 2024 at 7:15 PM
Vendor Advisory

RedHat CVE advisory released a security advisory (CVE-2024-38475).

Jul 1, 2024 at 9:51 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (201198)

Jul 1, 2024 at 11:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (513828)

Jul 2, 2024 at 5:15 AM
Threat Intelligence Report

The vulnerability CVE-2024-38475 in Apache HTTP Server's mod_rewrite allows an attacker to exploit weaknesses in the substitution matching filesystem paths, potentially leading to unauthorized access or other malicious activities. This critical vulnerability has a CVSS score of [insert score if available], and while there are currently no known proof-of-concept exploits, users are advised to apply patches or mitigations provided by the vendor to prevent exploitation. Downstream impacts may affect other third-party vendors or technologies that rely on Apache HTTP Server for web hosting services. See article

Jul 2, 2024 at 8:29 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.2%)

Jul 2, 2024 at 10:01 AM
Static CVE Timeline Graph

Affected Systems

Apache/http_server
+null more

Exploits

https://github.com/p0in7s/CVE-2024-38475
+null more

Patches

bugzilla.redhat.com
+null more

Attack Patterns

CAPEC-104: Cross Zone Scripting
+null more

Vendor Advisory

CVE-2024-38475
CWE-116: Improper Encoding or Escaping of Output Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.

References

Security Bulletin: IBM Aspera Console has addressed multiple vulnerabilities (CVE-2024-38477, CVE-2021-38963, CVE-2024-38475, CVE-2024-38474)
DESCRIPTION: IBM Aspera Console could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a CSV injection vulnerability. DESCRIPTION: Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by a substitution encoding issue in mod_rewrite.
Multiple vulnerabilities in cPanel EasyApache
The vulnerability exists due to insufficient validation of user-supplied input when handling incorrect encoding in mod_proxy. The vulnerability exists due to insufficient validation of user-supplied input in mod_rewrite proxy handler substitution.
Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies . CVE-2024-38476 - Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
See 8 more references

News

Xerox® Security Bulletin XRX24-016 for Xerox®FreeFlow® Print Server v9
Deliverable: July 2024 Security Patch Cluster Includes: Apache HTTP 2.4.62 and Apache Tomcat 8.5.100, OpenSSL 1.0.2zj, OpenSSH 1.1.9 Bulletin Date: November 14, 2024 1.0 Background Oracle® delivers quarterly Critical Patch Updates (CPU) to address US-CERT Security vulnerabilities and reliability improvements for the Solaris Operating System. Xerox Security Bulletin XRX24-016 Xerox® FreeFlow® Print Server v9 For: Solaris® 10 Operating System Install Method: DVD/USB Media
KRB5, Libtiff, XMLRPC-C, and more updates for Oracle
- cifs: fix set of group SID via NTSD xattrs (Paulo Alcantara) [RHEL-56052] - cifs: do not use uninitialized data in the owner/group sid (Paulo Alcantara) [RHEL-56052]
Multiple vulnerabilities in IBM Cloud Pak System
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability. The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
EulerOS Virtualization 2.12.1 : httpd (EulerOS-SA-2024-2751)
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy.Users are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-39573) null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.Users are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477)
Multiple vulnerabilities in Dell NetWorker And NetWorker Management Console
Public exploit code for vulnerability #9 is available. Public exploit code for vulnerability #11 is available.
See 193 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI