Vulnerability-Lookup

JVNDB-2026-003912

Vulnerability from jvndb - Published: 2026-02-17 20:46 - Updated:2026-02-17 20:46

Summary

Vulnerability in Cosminexus HTTP Server and Hitachi Web Server

Details

Vulnerability has been found in Cosminexus HTTP Server and Hitachi Web Server. CVE-2024-43204

References

Type

URL

CVE

https://www.cve.org/CVERecord?id=CVE-2024-43204

Impacted products

Vendor

Product

	Hitachi, Ltd	Cosminexus HTTP Server
	Hitachi, Ltd	Hitachi Application Server
	Hitachi, Ltd	uCosminexus Application Server(64)
	Hitachi, Ltd	Hitachi Application Server for Developers
	Hitachi, Ltd	uCosminexus Application Server-R
	Hitachi, Ltd	Hitachi Web Server
	Hitachi, Ltd	uCosminexus Application Server
	Hitachi, Ltd	uCosminexus Developer
	Hitachi, Ltd	uCosminexus Primary Server Base
	Hitachi, Ltd	uCosminexus Primary Server Base(64)
	Hitachi, Ltd	uCosminexus Service Architect
	Hitachi, Ltd	uCosminexus Service Platform
	Hitachi, Ltd	uCosminexus Service Platform(64)

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-003912.html",
  "dc:date": "2026-02-17T20:46+09:00",
  "dcterms:issued": "2026-02-17T20:46+09:00",
  "dcterms:modified": "2026-02-17T20:46+09:00",
  "description": "Vulnerability has been found in Cosminexus HTTP Server and Hitachi Web Server.\r\n\r\nCVE-2024-43204",
  "link": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-003912.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:hitachi:cosminexus_http_server",
      "@product": "Cosminexus HTTP Server",
      "@vendor": "Hitachi, Ltd",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:hitachi:hitachi_application_server",
      "@product": "Hitachi Application Server",
      "@vendor": "Hitachi, Ltd",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:hitachi:hitachi_application_server64",
      "@product": "uCosminexus Application Server(64)",
      "@vendor": "Hitachi, Ltd",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:hitachi:hitachi_application_server_for_developers",
      "@product": "Hitachi Application Server for Developers",
      "@vendor": "Hitachi, Ltd",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:hitachi:hitachi_application_server_r",
      "@product": "uCosminexus Application Server-R",
      "@vendor": "Hitachi, Ltd",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:hitachi:hitachi_web_server",
      "@product": "Hitachi Web Server",
      "@vendor": "Hitachi, Ltd",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:hitachi:ucosminexus_application_server",
      "@product": "uCosminexus Application Server",
      "@vendor": "Hitachi, Ltd",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:hitachi:ucosminexus_developer",
      "@product": "uCosminexus Developer",
      "@vendor": "Hitachi, Ltd",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:hitachi:ucosminexus_primary_server_base",
      "@product": "uCosminexus Primary Server Base",
      "@vendor": "Hitachi, Ltd",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:hitachi:ucosminexus_primary_server_base64",
      "@product": "uCosminexus Primary Server Base(64)",
      "@vendor": "Hitachi, Ltd",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:hitachi:ucosminexus_service_architect",
      "@product": "uCosminexus Service Architect",
      "@vendor": "Hitachi, Ltd",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:hitachi:ucosminexus_service_platform",
      "@product": "uCosminexus Service Platform",
      "@vendor": "Hitachi, Ltd",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:hitachi:ucosminexus_service_platform_64",
      "@product": "uCosminexus Service Platform(64)",
      "@vendor": "Hitachi, Ltd",
      "@version": "2.2"
    }
  ],
  "sec:identifier": "JVNDB-2026-003912",
  "sec:references": {
    "#text": "https://www.cve.org/CVERecord?id=CVE-2024-43204",
    "@id": "CVE-2024-43204",
    "@source": "CVE"
  },
  "title": "Vulnerability in Cosminexus HTTP Server and Hitachi Web Server"
}

CVE-2024-43204 (GCVE-0-2024-43204)

Vulnerability from cvelistv5 – Published: 2025-07-10 16:54 – Updated: 2025-11-04 21:08

Title

Apache HTTP Server: SSRF with mod_headers setting Content-Type header

Summary

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue.

Severity ?

No CVSS data available.

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

apache

References

URL

Tags

https://httpd.apache.org/security/vulnerabilities…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache HTTP Server	Affected: 2.4.0 , ≤ 2.4.63 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-43204",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-11T16:06:58.631485Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T19:56:45.283Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:08:51.242Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/07/10/2"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/07/10/4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.63",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.\u0026nbsp; Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 2.4.64 which fixes this issue."
            }
          ],
          "value": "SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.\u00a0 Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.\n\nUsers are recommended to upgrade to version 2.4.64 which fixes this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-10T16:54:15.759Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-08-07T09:00:00.000Z",
          "value": "reported"
        }
      ],
      "title": "Apache HTTP Server: SSRF with mod_headers setting Content-Type header",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-43204",
    "datePublished": "2025-07-10T16:54:15.759Z",
    "dateReserved": "2024-08-08T15:13:29.047Z",
    "dateUpdated": "2025-11-04T21:08:51.242Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

JVNDB-2026-003912

CVE-2024-43204 (GCVE-0-2024-43204)

Tags

Sightings

Nomenclature