csaf_ncscnl - ncsc-2024-0275

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Apache Software Foundation heeft kwetsbaarheden verholpen in de Apache HTTP-Server.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "Een kwaadwillende kan de kwetsbaarheden misbruiken om een Denial-of-Service te veroorzaken, middels een Server-Side-Request-Forgery (SSRF) verkeer te manipuleren, of om code uit te voeren binnen de webserver, waarvoor de kwaadwillende aanvankelijk niet is geautoriseerd.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Apache Software Foundation heeft updates uitgebracht om de kwetsbaarheden te verhelpen in Apache HTTP-Server 2.4.60. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Encoding or Escaping of Output",
        "title": "CWE-116"
      },
      {
        "category": "general",
        "text": "Encoding Error",
        "title": "CWE-172"
      },
      {
        "category": "general",
        "text": "Improper Input Validation",
        "title": "CWE-20"
      },
      {
        "category": "general",
        "text": "Exposure of Sensitive Information to an Unauthorized Actor",
        "title": "CWE-200"
      },
      {
        "category": "general",
        "text": "Improper Access Control",
        "title": "CWE-284"
      },
      {
        "category": "general",
        "text": "Improper Resource Shutdown or Release",
        "title": "CWE-404"
      },
      {
        "category": "general",
        "text": "NULL Pointer Dereference",
        "title": "CWE-476"
      },
      {
        "category": "general",
        "text": "Inclusion of Functionality from Untrusted Control Sphere",
        "title": "CWE-829"
      },
      {
        "category": "general",
        "text": "Server-Side Request Forgery (SSRF)",
        "title": "CWE-918"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - cveprojectv5; ibm; nvd; redhat",
        "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Apache HHTP-server",
    "tracking": {
      "current_release_date": "2024-07-02T11:44:22.653047Z",
      "id": "NCSC-2024-0275",
      "initial_release_date": "2024-07-02T11:44:22.653047Z",
      "revision_history": [
        {
          "date": "2024-07-02T11:44:22.653047Z",
          "number": "0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "apache_http_server",
            "product": {
              "name": "apache_http_server",
              "product_id": "CSAFPID-1465466",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache_software_foundation:apache_http_server:2.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "apache_http_server",
            "product": {
              "name": "apache_http_server",
              "product_id": "CSAFPID-1491761",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache_software_foundation:apache_http_server:2.4.55:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "apache_http_server",
            "product": {
              "name": "apache_http_server",
              "product_id": "CSAFPID-1491762",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache_software_foundation:apache_http_server:2.4.59:*:*:*:*:*:*:*"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "apache_software_foundation"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-76769",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-76761",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-76766",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139639",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.11:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-76770",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-76772",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.13:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139611",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.14:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139603",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.15:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139596",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139667",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139663",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139697",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.19:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-76762",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139591",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139684",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.21:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139652",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.22:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-96956",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139580",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.24:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139628",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.25:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139643",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.26:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139651",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.27:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139623",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.28:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139593",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.29:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-76764",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139704",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.30:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139647",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.31:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139728",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.32:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139724",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.33:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139584",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.34:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139696",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.35:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139685",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.36:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139677",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.37:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139585",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.38:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139577",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.39:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-76767",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139664",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.40:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139675",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.41:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139602",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.42:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139569",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.43:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139689",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.44:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139655",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.45:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139716",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.46:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139737",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.47:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139568",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.48:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139711",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139589",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.5:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139662",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.50:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139619",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.51:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139563",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.52:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-139637",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.53:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-140516",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.54:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-142004",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.55:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-1473391",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.56:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-1473393",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.57:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-1473392",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.58:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-1491521",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.59:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-76765",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-76763",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-76771",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "http_server",
            "product": {
              "name": "http_server",
              "product_id": "CSAFPID-76773",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "apache"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-36387",
      "cwe": {
        "id": "CWE-476",
        "name": "NULL Pointer Dereference"
      },
      "notes": [
        {
          "category": "other",
          "text": "NULL Pointer Dereference",
          "title": "CWE-476"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-76769",
          "CSAFPID-76761",
          "CSAFPID-76762",
          "CSAFPID-76764",
          "CSAFPID-76767",
          "CSAFPID-76765",
          "CSAFPID-76763",
          "CSAFPID-76771",
          "CSAFPID-76773",
          "CSAFPID-76766",
          "CSAFPID-76770",
          "CSAFPID-139611",
          "CSAFPID-139596",
          "CSAFPID-139667",
          "CSAFPID-139663",
          "CSAFPID-139697",
          "CSAFPID-139591",
          "CSAFPID-139684",
          "CSAFPID-139652",
          "CSAFPID-96956",
          "CSAFPID-139580",
          "CSAFPID-139628",
          "CSAFPID-139643",
          "CSAFPID-139651",
          "CSAFPID-139623",
          "CSAFPID-139593",
          "CSAFPID-139704",
          "CSAFPID-139724",
          "CSAFPID-139584",
          "CSAFPID-139696",
          "CSAFPID-139677",
          "CSAFPID-139585",
          "CSAFPID-139737",
          "CSAFPID-139711",
          "CSAFPID-139662",
          "CSAFPID-139637",
          "CSAFPID-1491761",
          "CSAFPID-1491762"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-36387",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-36387.json"
        }
      ],
      "title": "CVE-2024-36387"
    },
    {
      "cve": "CVE-2024-38472",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Server-Side Request Forgery (SSRF)",
          "title": "CWE-918"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-76769",
          "CSAFPID-76761",
          "CSAFPID-76762",
          "CSAFPID-76764",
          "CSAFPID-76767",
          "CSAFPID-76765",
          "CSAFPID-76763",
          "CSAFPID-76771",
          "CSAFPID-76773",
          "CSAFPID-76766",
          "CSAFPID-76770",
          "CSAFPID-139611",
          "CSAFPID-139596",
          "CSAFPID-139667",
          "CSAFPID-139663",
          "CSAFPID-139697",
          "CSAFPID-139591",
          "CSAFPID-139684",
          "CSAFPID-139652",
          "CSAFPID-96956",
          "CSAFPID-139580",
          "CSAFPID-139628",
          "CSAFPID-139643",
          "CSAFPID-139651",
          "CSAFPID-139623",
          "CSAFPID-139593",
          "CSAFPID-139704",
          "CSAFPID-139724",
          "CSAFPID-139584",
          "CSAFPID-139696",
          "CSAFPID-139677",
          "CSAFPID-139585",
          "CSAFPID-139737",
          "CSAFPID-139711",
          "CSAFPID-139662",
          "CSAFPID-139637",
          "CSAFPID-1465466",
          "CSAFPID-1491762"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-38472",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38472.json"
        }
      ],
      "title": "CVE-2024-38472"
    },
    {
      "cve": "CVE-2024-38473",
      "cwe": {
        "id": "CWE-172",
        "name": "Encoding Error"
      },
      "notes": [
        {
          "category": "other",
          "text": "Encoding Error",
          "title": "CWE-172"
        },
        {
          "category": "other",
          "text": "Improper Encoding or Escaping of Output",
          "title": "CWE-116"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-76769",
          "CSAFPID-76761",
          "CSAFPID-76762",
          "CSAFPID-76764",
          "CSAFPID-76767",
          "CSAFPID-76765",
          "CSAFPID-76763",
          "CSAFPID-76771",
          "CSAFPID-76773",
          "CSAFPID-76766",
          "CSAFPID-76770",
          "CSAFPID-139611",
          "CSAFPID-139596",
          "CSAFPID-139667",
          "CSAFPID-139663",
          "CSAFPID-139697",
          "CSAFPID-139591",
          "CSAFPID-139684",
          "CSAFPID-139652",
          "CSAFPID-96956",
          "CSAFPID-139580",
          "CSAFPID-139628",
          "CSAFPID-139643",
          "CSAFPID-139651",
          "CSAFPID-139623",
          "CSAFPID-139593",
          "CSAFPID-139704",
          "CSAFPID-139724",
          "CSAFPID-139584",
          "CSAFPID-139696",
          "CSAFPID-139677",
          "CSAFPID-139585",
          "CSAFPID-139737",
          "CSAFPID-139711",
          "CSAFPID-139662",
          "CSAFPID-139637",
          "CSAFPID-1465466",
          "CSAFPID-1491762"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-38473",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38473.json"
        }
      ],
      "title": "CVE-2024-38473"
    },
    {
      "cve": "CVE-2024-38474",
      "cwe": {
        "id": "CWE-172",
        "name": "Encoding Error"
      },
      "notes": [
        {
          "category": "other",
          "text": "Encoding Error",
          "title": "CWE-172"
        },
        {
          "category": "other",
          "text": "Improper Encoding or Escaping of Output",
          "title": "CWE-116"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-76769",
          "CSAFPID-76761",
          "CSAFPID-76762",
          "CSAFPID-76764",
          "CSAFPID-76767",
          "CSAFPID-76765",
          "CSAFPID-76763",
          "CSAFPID-76771",
          "CSAFPID-76773",
          "CSAFPID-76766",
          "CSAFPID-76770",
          "CSAFPID-139611",
          "CSAFPID-139596",
          "CSAFPID-139667",
          "CSAFPID-139663",
          "CSAFPID-139697",
          "CSAFPID-139591",
          "CSAFPID-139684",
          "CSAFPID-139652",
          "CSAFPID-96956",
          "CSAFPID-139580",
          "CSAFPID-139628",
          "CSAFPID-139643",
          "CSAFPID-139651",
          "CSAFPID-139623",
          "CSAFPID-139593",
          "CSAFPID-139704",
          "CSAFPID-139724",
          "CSAFPID-139584",
          "CSAFPID-139696",
          "CSAFPID-139677",
          "CSAFPID-139585",
          "CSAFPID-139737",
          "CSAFPID-139711",
          "CSAFPID-139662",
          "CSAFPID-139637",
          "CSAFPID-1465466",
          "CSAFPID-1491762"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-38474",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38474.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-76769",
            "CSAFPID-76761",
            "CSAFPID-76762",
            "CSAFPID-76764",
            "CSAFPID-76767",
            "CSAFPID-76765",
            "CSAFPID-76763",
            "CSAFPID-76771",
            "CSAFPID-76773",
            "CSAFPID-76766",
            "CSAFPID-76770",
            "CSAFPID-139611",
            "CSAFPID-139596",
            "CSAFPID-139667",
            "CSAFPID-139663",
            "CSAFPID-139697",
            "CSAFPID-139591",
            "CSAFPID-139684",
            "CSAFPID-139652",
            "CSAFPID-96956",
            "CSAFPID-139580",
            "CSAFPID-139628",
            "CSAFPID-139643",
            "CSAFPID-139651",
            "CSAFPID-139623",
            "CSAFPID-139593",
            "CSAFPID-139704",
            "CSAFPID-139724",
            "CSAFPID-139584",
            "CSAFPID-139696",
            "CSAFPID-139677",
            "CSAFPID-139585",
            "CSAFPID-139737",
            "CSAFPID-139711",
            "CSAFPID-139662",
            "CSAFPID-139637",
            "CSAFPID-1465466",
            "CSAFPID-1491762"
          ]
        }
      ],
      "title": "CVE-2024-38474"
    },
    {
      "cve": "CVE-2024-38475",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Access Control",
          "title": "CWE-284"
        },
        {
          "category": "other",
          "text": "Improper Encoding or Escaping of Output",
          "title": "CWE-116"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-76769",
          "CSAFPID-76761",
          "CSAFPID-76762",
          "CSAFPID-76764",
          "CSAFPID-76767",
          "CSAFPID-76765",
          "CSAFPID-76763",
          "CSAFPID-76771",
          "CSAFPID-76773",
          "CSAFPID-76766",
          "CSAFPID-76770",
          "CSAFPID-139611",
          "CSAFPID-139596",
          "CSAFPID-139667",
          "CSAFPID-139663",
          "CSAFPID-139697",
          "CSAFPID-139591",
          "CSAFPID-139684",
          "CSAFPID-139652",
          "CSAFPID-96956",
          "CSAFPID-139580",
          "CSAFPID-139628",
          "CSAFPID-139643",
          "CSAFPID-139651",
          "CSAFPID-139623",
          "CSAFPID-139593",
          "CSAFPID-139704",
          "CSAFPID-139724",
          "CSAFPID-139584",
          "CSAFPID-139696",
          "CSAFPID-139677",
          "CSAFPID-139585",
          "CSAFPID-139737",
          "CSAFPID-139711",
          "CSAFPID-139662",
          "CSAFPID-139637",
          "CSAFPID-1465466",
          "CSAFPID-1491762"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-38475",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38475.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-76769",
            "CSAFPID-76761",
            "CSAFPID-76762",
            "CSAFPID-76764",
            "CSAFPID-76767",
            "CSAFPID-76765",
            "CSAFPID-76763",
            "CSAFPID-76771",
            "CSAFPID-76773",
            "CSAFPID-76766",
            "CSAFPID-76770",
            "CSAFPID-139611",
            "CSAFPID-139596",
            "CSAFPID-139667",
            "CSAFPID-139663",
            "CSAFPID-139697",
            "CSAFPID-139591",
            "CSAFPID-139684",
            "CSAFPID-139652",
            "CSAFPID-96956",
            "CSAFPID-139580",
            "CSAFPID-139628",
            "CSAFPID-139643",
            "CSAFPID-139651",
            "CSAFPID-139623",
            "CSAFPID-139593",
            "CSAFPID-139704",
            "CSAFPID-139724",
            "CSAFPID-139584",
            "CSAFPID-139696",
            "CSAFPID-139677",
            "CSAFPID-139585",
            "CSAFPID-139737",
            "CSAFPID-139711",
            "CSAFPID-139662",
            "CSAFPID-139637",
            "CSAFPID-1465466",
            "CSAFPID-1491762"
          ]
        }
      ],
      "title": "CVE-2024-38475"
    },
    {
      "cve": "CVE-2024-38476",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "other",
          "text": "Exposure of Sensitive Information to an Unauthorized Actor",
          "title": "CWE-200"
        },
        {
          "category": "other",
          "text": "Inclusion of Functionality from Untrusted Control Sphere",
          "title": "CWE-829"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-76769",
          "CSAFPID-76761",
          "CSAFPID-76762",
          "CSAFPID-76764",
          "CSAFPID-76767",
          "CSAFPID-76765",
          "CSAFPID-76763",
          "CSAFPID-76771",
          "CSAFPID-76773",
          "CSAFPID-76766",
          "CSAFPID-76770",
          "CSAFPID-139611",
          "CSAFPID-139596",
          "CSAFPID-139667",
          "CSAFPID-139663",
          "CSAFPID-139697",
          "CSAFPID-139591",
          "CSAFPID-139684",
          "CSAFPID-139652",
          "CSAFPID-96956",
          "CSAFPID-139580",
          "CSAFPID-139628",
          "CSAFPID-139643",
          "CSAFPID-139651",
          "CSAFPID-139623",
          "CSAFPID-139593",
          "CSAFPID-139704",
          "CSAFPID-139724",
          "CSAFPID-139584",
          "CSAFPID-139696",
          "CSAFPID-139677",
          "CSAFPID-139585",
          "CSAFPID-139737",
          "CSAFPID-139711",
          "CSAFPID-139662",
          "CSAFPID-139637",
          "CSAFPID-1465466",
          "CSAFPID-1491762"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-38476",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38476.json"
        }
      ],
      "title": "CVE-2024-38476"
    },
    {
      "cve": "CVE-2024-38477",
      "cwe": {
        "id": "CWE-404",
        "name": "Improper Resource Shutdown or Release"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Resource Shutdown or Release",
          "title": "CWE-404"
        },
        {
          "category": "other",
          "text": "NULL Pointer Dereference",
          "title": "CWE-476"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-76769",
          "CSAFPID-76761",
          "CSAFPID-76762",
          "CSAFPID-76764",
          "CSAFPID-76767",
          "CSAFPID-76765",
          "CSAFPID-76763",
          "CSAFPID-76771",
          "CSAFPID-76773",
          "CSAFPID-76766",
          "CSAFPID-76770",
          "CSAFPID-139611",
          "CSAFPID-139596",
          "CSAFPID-139667",
          "CSAFPID-139663",
          "CSAFPID-139697",
          "CSAFPID-139591",
          "CSAFPID-139684",
          "CSAFPID-139652",
          "CSAFPID-96956",
          "CSAFPID-139580",
          "CSAFPID-139628",
          "CSAFPID-139643",
          "CSAFPID-139651",
          "CSAFPID-139623",
          "CSAFPID-139593",
          "CSAFPID-139704",
          "CSAFPID-139724",
          "CSAFPID-139584",
          "CSAFPID-139696",
          "CSAFPID-139677",
          "CSAFPID-139585",
          "CSAFPID-139737",
          "CSAFPID-139711",
          "CSAFPID-139662",
          "CSAFPID-139637",
          "CSAFPID-1465466",
          "CSAFPID-1491762"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-38477",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38477.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-76769",
            "CSAFPID-76761",
            "CSAFPID-76762",
            "CSAFPID-76764",
            "CSAFPID-76767",
            "CSAFPID-76765",
            "CSAFPID-76763",
            "CSAFPID-76771",
            "CSAFPID-76773",
            "CSAFPID-76766",
            "CSAFPID-76770",
            "CSAFPID-139611",
            "CSAFPID-139596",
            "CSAFPID-139667",
            "CSAFPID-139663",
            "CSAFPID-139697",
            "CSAFPID-139591",
            "CSAFPID-139684",
            "CSAFPID-139652",
            "CSAFPID-96956",
            "CSAFPID-139580",
            "CSAFPID-139628",
            "CSAFPID-139643",
            "CSAFPID-139651",
            "CSAFPID-139623",
            "CSAFPID-139593",
            "CSAFPID-139704",
            "CSAFPID-139724",
            "CSAFPID-139584",
            "CSAFPID-139696",
            "CSAFPID-139677",
            "CSAFPID-139585",
            "CSAFPID-139737",
            "CSAFPID-139711",
            "CSAFPID-139662",
            "CSAFPID-139637",
            "CSAFPID-1465466",
            "CSAFPID-1491762"
          ]
        }
      ],
      "title": "CVE-2024-38477"
    },
    {
      "cve": "CVE-2024-39573",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Server-Side Request Forgery (SSRF)",
          "title": "CWE-918"
        },
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-76769",
          "CSAFPID-76761",
          "CSAFPID-76762",
          "CSAFPID-76764",
          "CSAFPID-76767",
          "CSAFPID-76765",
          "CSAFPID-76763",
          "CSAFPID-76771",
          "CSAFPID-76773",
          "CSAFPID-76766",
          "CSAFPID-76770",
          "CSAFPID-139611",
          "CSAFPID-139596",
          "CSAFPID-139667",
          "CSAFPID-139663",
          "CSAFPID-139697",
          "CSAFPID-139591",
          "CSAFPID-139684",
          "CSAFPID-139652",
          "CSAFPID-96956",
          "CSAFPID-139580",
          "CSAFPID-139628",
          "CSAFPID-139643",
          "CSAFPID-139651",
          "CSAFPID-139623",
          "CSAFPID-139593",
          "CSAFPID-139704",
          "CSAFPID-139724",
          "CSAFPID-139584",
          "CSAFPID-139696",
          "CSAFPID-139677",
          "CSAFPID-139585",
          "CSAFPID-139737",
          "CSAFPID-139711",
          "CSAFPID-139662",
          "CSAFPID-139637",
          "CSAFPID-1465466",
          "CSAFPID-1491762"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-39573",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-39573.json"
        }
      ],
      "title": "CVE-2024-39573"
    }
  ]
}

cve-2024-38473

Vulnerability from cvelistv5

Published

2024-07-01 18:14

Modified

2024-09-13 17:04

Severity ?

Summary

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

References

▼	URL	Tags
	https://httpd.apache.org/security/vulnerabilities_24.html	vendor-advisory
	https://security.netapp.com/advisory/ntap-20240712-0001/

Impacted products

Vendor

Product

Version

▼

Version: 2.4.0 ≤ 2.4.59

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apache_software_foundation:apache_http_server:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "apache_http_server",
            "vendor": "apache_software_foundation",
            "versions": [
              {
                "lessThanOrEqual": "2.4.59",
                "status": "affected",
                "version": "2.4.0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-38473",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-24T13:55:35.300035Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-24T14:02:38.927Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-13T17:04:54.566Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/07/01/6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.59",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Orange Tsai (@orange_8361) from DEVCORE"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.\u003cbr\u003eUsers are recommended to upgrade to version 2.4.60, which fixes this issue."
            }
          ],
          "value": "Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-01T18:14:21.520Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-04-01T12:00:00.000Z",
          "value": "reported"
        }
      ],
      "title": "Apache HTTP Server proxy encoding problem",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-38473",
    "datePublished": "2024-07-01T18:14:21.520Z",
    "dateReserved": "2024-06-17T11:05:01.135Z",
    "dateUpdated": "2024-09-13T17:04:54.566Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-38476

Vulnerability from cvelistv5

Published

2024-07-01 18:15

Modified

2024-10-29 16:42

Severity ?

Summary

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

References

▼	URL	Tags
	https://httpd.apache.org/security/vulnerabilities_24.html	vendor-advisory
	https://security.netapp.com/advisory/ntap-20240712-0001/

Impacted products

Vendor

Product

Version

▼

Version: 2.4.0 ≤ 2.4.59

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "http_server",
            "vendor": "apache",
            "versions": [
              {
                "lessThanOrEqual": "2.4.59",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-38476",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-29T03:55:12.524796Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-29T16:42:18.129Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-13T17:04:57.387Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/07/01/9"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.59",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Orange Tsai (@orange_8361) from DEVCORE"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ebackend applications whose response headers are malicious or exploitable.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 2.4.60, which fixes this issue."
            }
          ],
          "value": "Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via\u00a0backend applications whose response headers are malicious or exploitable.\n\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-829",
              "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-01T18:15:40.071Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-04-01T12:00:00.000Z",
          "value": "reported"
        }
      ],
      "title": "Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-38476",
    "datePublished": "2024-07-01T18:15:40.071Z",
    "dateReserved": "2024-06-17T11:10:56.470Z",
    "dateUpdated": "2024-10-29T16:42:18.129Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-36387

Vulnerability from cvelistv5

Published

2024-07-01 18:10

Modified

2024-11-25 17:28

Severity ?

Summary

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.

References

▼	URL	Tags
	https://httpd.apache.org/security/vulnerabilities_24.html	vendor-advisory
	https://security.netapp.com/advisory/ntap-20240712-0001/

Impacted products

Vendor

Product

Version

▼

Version: 2.4.55 ≤ 2.4.59

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 5.4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-36387",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-22T16:22:03.472412Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-25T17:28:29.258Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-13T17:04:49.998Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/07/01/4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.59",
              "status": "affected",
              "version": "2.4.55",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Marc Stern (\u003cmarc.stern@approach-cyber.com\u003e)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance."
            }
          ],
          "value": "Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-02T10:05:15.503Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-05-27T13:23:00.000Z",
          "value": "fixed in r1918003 in trunk"
        }
      ],
      "title": "Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-36387",
    "datePublished": "2024-07-01T18:10:25.512Z",
    "dateReserved": "2024-05-27T11:13:32.415Z",
    "dateUpdated": "2024-11-25T17:28:29.258Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-39573

Vulnerability from cvelistv5

Published

2024-07-01 18:16

Modified

2024-09-13 17:05

Severity ?

Summary

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

References

▼	URL	Tags
	https://httpd.apache.org/security/vulnerabilities_24.html	vendor-advisory
	https://security.netapp.com/advisory/ntap-20240712-0001/

Impacted products

Vendor

Product

Version

▼

Version: 2.4.0 ≤ 2.4.59

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apache:http_server:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "http_server",
            "vendor": "apache",
            "versions": [
              {
                "lessThanOrEqual": "2.4.59",
                "status": "affected",
                "version": "2.4.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-39573",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-01T20:41:48.835121Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-01T20:44:44.754Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-13T17:05:01.124Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/07/01/11"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.59",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Orange Tsai (@orange_8361) from DEVCORE"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL\u0027s to be handled by mod_proxy.\u003cbr\u003eUsers are recommended to upgrade to version 2.4.60, which fixes this issue."
            }
          ],
          "value": "Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL\u0027s to be handled by mod_proxy.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-01T18:16:44.297Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-04-01T12:00:00.000Z",
          "value": "reported"
        }
      ],
      "title": "Apache HTTP Server: mod_rewrite proxy handler substitution",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-39573",
    "datePublished": "2024-07-01T18:16:44.297Z",
    "dateReserved": "2024-06-25T17:13:46.679Z",
    "dateUpdated": "2024-09-13T17:05:01.124Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-38477

Vulnerability from cvelistv5

Published

2024-07-01 18:16

Modified

2024-09-13 17:04

Severity ?

Summary

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

References

▼	URL	Tags
	https://httpd.apache.org/security/vulnerabilities_24.html	vendor-advisory
	https://security.netapp.com/advisory/ntap-20240712-0001/

Impacted products

Vendor

Product

Version

▼

Version: 2.4.0 ≤ 2.4.59

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-38477",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-22T16:23:13.858578Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-22T16:23:33.260Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-13T17:04:58.395Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/07/01/10"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.59",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Orange Tsai (@orange_8361) from DEVCORE"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\u003cbr\u003eUsers are recommended to upgrade to version 2.4.60, which fixes this issue."
            }
          ],
          "value": "null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476 NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-01T18:16:11.935Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-04-01T12:00:00.000Z",
          "value": "Reported"
        }
      ],
      "title": "Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-38477",
    "datePublished": "2024-07-01T18:16:11.935Z",
    "dateReserved": "2024-06-17T11:11:30.174Z",
    "dateUpdated": "2024-09-13T17:04:58.395Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-38474

Vulnerability from cvelistv5

Published

2024-07-01 18:14

Modified

2024-09-13 17:04

Severity ?

Summary

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

References

▼	URL	Tags
	https://httpd.apache.org/security/vulnerabilities_24.html	vendor-advisory
	https://security.netapp.com/advisory/ntap-20240712-0001/

Impacted products

Vendor

Product

Version

▼

Version: 2.4.0 ≤ 2.4.59

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-38474",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-09T18:02:41.305061Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-09T18:02:49.344Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-13T17:04:55.485Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/07/01/7"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.59",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Orange Tsai (@orange_8361) from DEVCORE"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in\u003cbr\u003edirectories permitted by the configuration but not directly reachable by any\u0026nbsp;URL or source disclosure of scripts meant to only to be executed as CGI.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 2.4.60, which fixes this issue.\u003cbr\u003e\u003cbr\u003eSome RewriteRules that capture and substitute unsafely will now fail unless rewrite flag \"UnsafeAllow3F\" is specified."
            }
          ],
          "value": "Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in\ndirectories permitted by the configuration but not directly reachable by any\u00a0URL or source disclosure of scripts meant to only to be executed as CGI.\n\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.\n\nSome RewriteRules that capture and substitute unsafely will now fail unless rewrite flag \"UnsafeAllow3F\" is specified."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-01T18:14:47.004Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-04-01T12:00:00.000Z",
          "value": "reported"
        }
      ],
      "title": "Apache HTTP Server weakness with encoded question marks in backreferences",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-38474",
    "datePublished": "2024-07-01T18:14:47.004Z",
    "dateReserved": "2024-06-17T11:09:02.297Z",
    "dateUpdated": "2024-09-13T17:04:55.485Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-38475

Vulnerability from cvelistv5

Published

2024-07-01 18:15

Modified

2024-09-13 17:04

Severity ?

Summary

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

References

▼	URL	Tags
	https://httpd.apache.org/security/vulnerabilities_24.html	vendor-advisory
	https://security.netapp.com/advisory/ntap-20240712-0001/

Impacted products

Vendor

Product

Version

▼

Version: 2.4.0 ≤ 2.4.59

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "http_server",
            "vendor": "apache",
            "versions": [
              {
                "lessThanOrEqual": "2.4.59",
                "status": "affected",
                "version": "2.4.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:netapp:ontap_9:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "ontap_9",
            "vendor": "netapp",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-38475",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-10T03:55:18.658443Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-31T20:24:11.619Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-13T17:04:56.456Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.blackhat.com/us-24/briefings/schedule/index.html#confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-pre-recorded-40227"
          },
          {
            "url": "https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/07/01/8"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.59",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Orange Tsai (@orange_8361) from DEVCORE"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are\u0026nbsp;permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. \u003cbr\u003e\u003cbr\u003eSubstitutions in\u0026nbsp;server context that use a backreferences or variables as the first segment of the substitution are affected.\u0026nbsp; Some unsafe RewiteRules will be broken by this change and the rewrite flag \"UnsafePrefixStat\" can be used to opt back in once ensuring the substitution is appropriately constrained."
            }
          ],
          "value": "Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are\u00a0permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. \n\nSubstitutions in\u00a0server context that use a backreferences or variables as the first segment of the substitution are affected.\u00a0 Some unsafe RewiteRules will be broken by this change and the rewrite flag \"UnsafePrefixStat\" can be used to opt back in once ensuring the substitution is appropriately constrained."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-01T18:15:12.292Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2024-04-01T12:00:00.000Z",
          "value": "reported"
        }
      ],
      "title": "Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path.",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-38475",
    "datePublished": "2024-07-01T18:15:12.292Z",
    "dateReserved": "2024-06-17T11:09:56.096Z",
    "dateUpdated": "2024-09-13T17:04:56.456Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-38472

Vulnerability from cvelistv5

Published

2024-07-01 18:12

Modified

2024-11-18 08:51

Severity ?

Summary

SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.

References

▼	URL	Tags
	https://httpd.apache.org/security/vulnerabilities_24.html	vendor-advisory

Impacted products

Vendor

Product

Version

▼

Version: 2.4.0 ≤ 2.4.59

Show details on NVD website