CVE-2024-39573

CWE-20 — Improper Input Validation CWE-11612 documents10 sources

Severity

7.5HIGH

EPSS

3.2%

top 13.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server Netapp Ontap

Timeline

PublishedJul 1

Latest updateOct 28

Description

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDapache/http_server2.4.0 — 2.4.60

▶CVEListV5apache_software_foundation/apache_http_server2.4.0 — 2.4.59

▶Alpineapache2< 2.4.60-r0+6

▶Debianapache2< 2.4.61-1~deb11u1+3

Also affects: Ontap 9

🔴Vulnerability Details

GHSA

GHSA-2wcw-rcf9-qm36: Potential SSRF in mod_rewrite in Apache HTTP Server 2↗2024-07-01

▶

OSV

CVE-2024-39573: Potential SSRF in mod_rewrite in Apache HTTP Server 2↗2024-07-01

▶

OSV

CVE-2024-39573: Potential SSRF in mod_rewrite in Apache HTTP Server 2↗2024-07-01

▶

CVEList

Apache HTTP Server: mod_rewrite proxy handler substitution↗2024-07-01

▶

📋Vendor Advisories

Apple

CVE-2024-39573: macOS Sequoia 15.1↗2024-10-28

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-07-08

▶

Red Hat

httpd: Potential SSRF in mod_rewrite↗2024-07-01

▶

Red Hat

httpd: Encoding problem in mod_proxy↗2024-07-01

▶

Debian

CVE-2024-39573: apache2 - Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an...↗2024

▶

💬Community

HackerOne

moderate: Apache HTTP Server: mod_rewrite proxy handler substitution (CVE-2024-39573) CWE-20 Improper Input Validation↗2024-08-12

▶