Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-38473

CWE-11614 documents10 sources
Severity
8.1HIGH
EPSS
88.3%
top 0.51%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Apache Http ServerApache Software Foundation Apache Http ServerNetapp Ontap
Timeline
PublishedJul 1
Latest updateAug 12

Description

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages4 packages

NVDapache/http_server2.4.02.4.60
Alpineapache2< 2.4.60-r0+6
Debianapache2< 2.4.61-1~deb11u1+3

Also affects: Ontap 9

🔴Vulnerability Details

6
OSV
apache2 regression2024-07-11
OSV
apache2 vulnerabilities2024-07-08
OSV
CVE-2024-38473: Encoding problem in mod_proxy in Apache HTTP Server 22024-07-01
GHSA
GHSA-hrh5-4ffc-228q: Encoding problem in mod_proxy in Apache HTTP Server 22024-07-01
OSV
CVE-2024-38473: Encoding problem in mod_proxy in Apache HTTP Server 22024-07-01

💥Exploits & PoCs

1
Nuclei
Apache HTTP Server - ACL Bypass

📋Vendor Advisories

4
Microsoft
Apache HTTP Server proxy encoding problem2024-07-09
Ubuntu
Apache HTTP Server vulnerabilities2024-07-08
Red Hat
httpd: Encoding problem in mod_proxy2024-07-01
Debian
CVE-2024-38473: apache2 - Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows re...2024

💬Community

2
HackerOne
moderate: Apache HTTP Server: mod_rewrite proxy handler substitution (CVE-2024-39573) CWE-20 Improper Input Validation2024-08-12
HackerOne
moderate: Apache HTTP Server proxy encoding problem (CVE-2024-38473)2024-07-13
CVE-2024-38473 (HIGH CVSS 8.1) | Encoding problem in mod_proxy in Ap | cvebase.io