PT-2024-4623 · Apache+10 · Apache Http Server+10
Orange_8361
·
Published
2024-07-01
·
Updated
2026-05-28
·
CVE-2024-38476
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions:
Apache HTTP Server versions 2.4.59 and earlier
Description:
The issue is related to the core of the Apache HTTP Server, where malicious or exploitable response headers from backend applications can lead to information disclosure, Server-Side Request Forgery (SSRF), or local script execution. This can be exploited by an attacker to execute arbitrary code through internal redirection. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.
Recommendations:
To resolve the issue, users are recommended to upgrade to version 2.4.60, which fixes this issue. As a temporary workaround, consider restricting access to backend applications whose response headers are malicious or exploitable until the upgrade is applied. Avoid using the vulnerable core functionality of the Apache HTTP Server until the issue is resolved.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Apache Http Server
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu