CVE-2024-38474

CWE-11617 documents8 sources

Severity

9.8CRITICAL

EPSS

0.7%

top 26.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server Netapp Clustered Data Ontap

Timeline

PublishedJul 1

Latest updateAug 13

Description

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

▶NVDapache/http_server2.4.0 — 2.4.60

▶CVEListV5apache_software_foundation/apache_http_server2.4.0 — 2.4.59

▶Alpineapache2< 2.4.60-r0+6

▶Debianapache2< 2.4.61-1~deb11u1+3

▶Ubuntuapache2< 2.4.41-4ubuntu3.23+6

🔴Vulnerability Details

OSV

apache2 regression↗2025-08-13

▶

OSV

apache2 vulnerabilities↗2025-07-21

▶

OSV

apache2 regression↗2025-04-07

▶

OSV

apache2 vulnerabilities↗2024-09-18

▶

OSV

CVE-2024-38474: Substitution encoding issue in mod_rewrite in Apache HTTP Server 2↗2024-07-01

▶

📋Vendor Advisories

Ubuntu

Apache HTTP Server regression↗2025-08-13

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2025-07-21

▶

Ubuntu

Apache HTTP Server regression↗2025-04-07

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-09-18

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-07-08

▶

💬Community

HackerOne

important: Apache HTTP Server weakness with encoded question marks in backreferences (CVE-2024-38474)↗2024-07-13

▶