CVE-2024-39884

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache HTTP Server version 2.4.60

Description A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. It is estimated that over 9,500 services are potentially affected.

Recommendations To resolve the issue, upgrade to version 2.4.61, which fixes this problem. As a temporary workaround, consider restricting access to the AddType configuration to minimize the risk of exploitation. Avoid using the AddType directive in the affected API endpoints until the issue is resolved.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALT-PU-2024-10005

ALT-PU-2024-10192

ALT-PU-2024-10223

ALT-PU-2024-9738

AZL-43170

AZL-43174

BDU:2024-06280

BIT-APACHE-2024-39884

CVE-2024-39884

DLA-3921-1

DSA-5729-2

MGASA-2024-0258

OPENSUSE-SU-2024:14116-1

OPENSUSE-SU-2024_3172-1

OPENSUSE-SU-2024_3173-1

SUSE-SU-2024:3061-1

SUSE-SU-2024:3172-1

SUSE-SU-2024:3173-1

SUSE-SU-2024_3061-1

SUSE-SU-2025:02241-1

SUSE-SU-2025_02241-1

USN-6885-1

USN-6885-2

USN-6885-4

USN-6885-6

Affected Products

Alt Linux

Apache Http Server

Astra Linux

Linuxmint

Red Os

Suse

Ubuntu

CVE-2024-39884

Weakness Enumeration

Related Identifiers

Affected Products

References · 123