CVE-2024-38477

CWE-476 — NULL Pointer Dereference19 documents10 sources

Severity

7.5HIGH

EPSS

1.1%

top 21.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server Netapp Clustered Data Ontap

Timeline

PublishedJul 1

Latest updateOct 21

Description

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDapache/http_server2.4.0 — 2.4.60

▶CVEListV5apache_software_foundation/apache_http_server2.4.0 — 2.4.59

▶Alpineapache2< 2.4.60-r0+6

▶Debianapache2< 2.4.61-1~deb11u1+3

▶NVDnetapp/clustered_data_ontap9.0

🔴Vulnerability Details

OSV

linux-azure-fips vulnerabilities↗2025-10-21

▶

OSV

linux-azure-fips vulnerabilities↗2025-10-13

▶

OSV

linux-azure, linux-azure-5.4 vulnerabilities↗2025-10-13

▶

OSV

linux-oracle vulnerabilities↗2025-10-13

▶

OSV

linux-aws-fips, linux-fips, linux-gcp-fips vulnerabilities↗2025-10-02

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Core (Apache HTTP Server) — CVE-2024-38477↗2025-07-15

▶

Apple

CVE-2024-38477: macOS Sequoia 15.1↗2024-10-28

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-09-18

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-07-08

▶

Red Hat

httpd: NULL pointer dereference in mod_proxy↗2024-07-01

▶

💬Community

HackerOne

important: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request (CVE-2024-38477)↗2024-07-13

▶