CVE-2024-38474

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:netapp:clustered_data_ontap:9.0:*:*:*:*:*:*:*

History

21 Aug 2024, 15:03

Type Values Removed Values Added
References () https://httpd.apache.org/security/vulnerabilities_24.html - () https://httpd.apache.org/security/vulnerabilities_24.html - Vendor Advisory
References () https://security.netapp.com/advisory/ntap-20240712-0001/ - () https://security.netapp.com/advisory/ntap-20240712-0001/ - Third Party Advisory
CPE cpe:2.3:o:netapp:clustered_data_ontap:9.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
First Time Apache http Server
Netapp
Apache
Netapp clustered Data Ontap

12 Jul 2024, 14:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20240712-0001/ -

02 Jul 2024, 12:09

Type Values Removed Values Added
Summary
  • (es) El problema de codificación de sustitución en mod_rewrite en Apache HTTP Server 2.4.59 y versiones anteriores permite al atacante ejecutar scripts en directorios permitidos por la configuración pero a los que no se puede acceder directamente mediante ninguna URL o divulgación de fuente de scripts destinados a ejecutarse únicamente como CGI. Se recomienda a los usuarios actualizar a la versión 2.4.60, que soluciona este problema. Algunas RewriteRules que capturan y sustituyen de forma insegura ahora fallarán a menos que se especifique el indicador de reescritura "UnsafeAllow3F".

01 Jul 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-01 19:15

Updated : 2024-08-21 15:03


NVD link : CVE-2024-38474

Mitre link : CVE-2024-38474

CVE.ORG link : CVE-2024-38474


JSON object : View

Products Affected

apache

  • http_server

netapp

  • clustered_data_ontap
CWE
CWE-116

Improper Encoding or Escaping of Output