CVE-2024-38474

Updated: 2024-11-24 04:17:59.421727

Description:

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x CRITICAL 9.8

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement

AlmaLinux 9.2 ESU httpd 2.4.53 9.8 CRITICAL Released CLSA-2024:1724706840 2024-08-26 17:33:23
CentOS 6 ELS httpd 2.2.15 9.8 CRITICAL Not Vulnerable 2024-07-15 04:49:38
CentOS 7 ELS httpd 2.4.6 9.8 CRITICAL Released CLSA-2024:1722003981 2024-08-13 14:30:42
CentOS 8.4 ELS httpd 2.4.37 9.8 CRITICAL Released CLSA-2024:1724351412 2024-08-22 17:32:53
CentOS 8.5 ELS httpd 2.4.37 9.8 CRITICAL Released CLSA-2024:1724351427 2024-08-22 17:32:52
CentOS Stream 8 ELS httpd 2.4.37 9.8 CRITICAL Released CLSA-2024:1724351166 2024-08-22 14:31:52
CloudLinux 6 ELS httpd 2.2.15 9.8 CRITICAL Not Vulnerable 2024-07-15 04:49:38
CloudLinux 7 ELS httpd 2.4.6 9.8 CRITICAL Released CLSA-2024:1724788700 2024-09-09 12:19:15
Oracle Linux 6 ELS httpd 2.2.15 9.8 CRITICAL Not Vulnerable 2024-07-15 04:49:38
Oracle Linux 7 ELS httpd 2.4.6 9.8 CRITICAL Already Fixed 2024-12-03 12:09:58
Total: 12