PT-2024-5848 · Apache+10 · Apache Http Server+10

Orange_8361

·

Published

2024-07-01

·

Updated

2026-02-22

·

CVE-2024-38474

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.59 and earlier
Description The issue is related to a substitution encoding problem in the mod rewrite module of the Apache HTTP Server, allowing an attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL, or disclose the source of scripts meant to be executed as CGI.
Recommendations For Apache HTTP Server versions 2.4.59 and earlier, upgrade to version 2.4.60, which fixes this issue. As a temporary workaround, consider specifying the rewrite flag "UnsafeAllow3F" for RewriteRules that capture and substitute unsafely to prevent them from failing.

Fix

Improper Encoding or Escaping of Output

Weakness Enumeration

CWE-116CWE-829

Related Identifiers

ALSA-2024:4720
ALSA-2024:4726
ALT-PU-2024-10005
ALT-PU-2024-10192
ALT-PU-2024-10223
ALT-PU-2024-9738
BDU:2024-05131
BDU:2024-06593
BIT-APACHE-2024-38474
CESA-2024_4720
CVE-2024-38474
DLA-3921-1
DSA-5729-1
DSA-5729-2
INFSA-2024_4720
INFSA-2024_4726
MGASA-2024-0258
OESA-2024-1852
OESA-2024-1853
OESA-2024-1854
OESA-2024-1855
OESA-2024-1856
OPENSUSE-SU-2024:14116-1
OPENSUSE-SU-2024_3172-1
OPENSUSE-SU-2024_3173-1
RHSA-2024:4719
RHSA-2024:4720
RHSA-2024:4726
RHSA-2024:4820
RHSA-2024:4827
RHSA-2024:4830
RHSA-2024:4862
RHSA-2024:4863
RHSA-2024:4938
RHSA-2024:4943
RHSA-2024:5239
RHSA-2024_4720
RHSA-2024_4726
RLSA-2024:4726
ROSA-SA-2024-2515
SUSE-SU-2024:2997-1
SUSE-SU-2024:2999-1
SUSE-SU-2024:3172-1
SUSE-SU-2024:3173-1
USN-6885-1
USN-6885-2
USN-6885-3
USN-6885-4
USN-6885-5
USN-6885-6

Affected Products

Alt Linux
Almalinux
Apache Http Server
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu