CVE-2024-38476

CWE-829 CWE-200 — Information Exposure14 documents10 sources

Severity

9.8CRITICAL

EPSS

3.5%

top 12.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server Netapp Clustered Data Ontap

Timeline

PublishedJul 1

Latest updateApr 15

Description

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶NVDapache/http_server2.4.0 — 2.4.60

▶CVEListV5apache_software_foundation/apache_http_server2.4.0 — 2.4.59

▶Alpineapache2< 2.4.60-r0+6

▶Debianapache2< 2.4.61-1~deb11u1+3

▶NVDnetapp/clustered_data_ontap9.0

🔴Vulnerability Details

CVEList

Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect↗2024-07-01

▶

OSV

CVE-2024-38476: Vulnerability in core of Apache HTTP Server 2↗2024-07-01

▶

GHSA

GHSA-fpq9-w5cw-5hf8: Vulnerability in core of Apache HTTP Server 2↗2024-07-01

▶

OSV

CVE-2024-38476: Vulnerability in core of Apache HTTP Server 2↗2024-07-01

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Core (Apache HTTP Server) — CVE-2024-38476↗2025-04-15

▶

Apple

CVE-2024-38476: macOS Sequoia 15.1↗2024-10-28

▶

Oracle

Oracle Oracle Secure Backup Risk Matrix: Oracle Secure Backup (Apache HTTP Server) — CVE-2024-38476↗2024-10-15

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-09-18

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-07-08

▶

💬Community

HackerOne

important: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect (CVE-2024-38476)↗2024-07-13

▶