CVE-2024-40725

Updated: 2024-08-22 20:42:16.384167

Description:

A partial fix for  CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x MEDIUM 5.3

Status

OS name Project name Version Score Severity Status Errata Last updated
AlmaLinux 9.2 ESU httpd 2.4.53 5.3 MEDIUM Released CLSA-2024:1724706840 2024-08-26 17:32:24
CentOS 6 ELS httpd 2.2.15 5.3 MEDIUM Not Vulnerable 2024-08-22 17:31:48
CentOS 7 ELS httpd 2.4.6 5.3 MEDIUM Released CLSA-2024:1723059198 2024-08-13 14:29:40
CentOS 8.4 ELS httpd 2.4.37 5.3 MEDIUM Released CLSA-2024:1724351412 2024-08-22 17:31:48
CentOS 8.5 ELS httpd 2.4.37 5.3 MEDIUM Released CLSA-2024:1724351427 2024-08-22 17:31:47
CentOS Stream 8 ELS httpd 2.4.37 5.3 MEDIUM Released CLSA-2024:1724351166 2024-08-22 14:30:47
CloudLinux 6 ELS httpd 2.2.15 5.3 MEDIUM Not Vulnerable 2024-09-02 14:27:25
CloudLinux 7 ELS httpd 2.4.6 5.3 MEDIUM In Rollout CLSA-2024:1726078096 2024-09-11 14:23:27
Oracle Linux 6 ELS httpd 2.2.15 5.3 MEDIUM Not Vulnerable 2024-09-02 14:27:25
Ubuntu 16.04 ELS apache2 2.4.18 5.3 MEDIUM Released CLSA-2024:1725012024 2024-08-30 12:19:50
Total: 11