CVE-2024-40898 — Server-Side Request Forgery in Apache Http Server

CWE-918 — Server-Side Request Forgery10 documents10 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 32.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server

Timeline

PublishedJul 18

Latest updateOct 15

Description

SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/http_server< 2.4.62

▶CVEListV5apache_software_foundation/apache_http_server2.4.0 — 2.4.61

🔴Vulnerability Details

GHSA

GHSA-f6mg-hq7f-jw2j: SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF↗2024-07-18

▶

CVEList

Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows↗2024-07-18

▶

OSV

CVE-2024-40898: SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF↗2024-07-18

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (Apache HTTP Server) — CVE-2024-40898↗2024-10-15

▶

Microsoft

CVE-2024-40898: NIST NVD Details: https://nvd↗2024-09-10

▶

Red Hat

httpd: SSRF in Apache HTTP Server on Windows via mod_rewrite in server/vhost context↗2024-07-18

▶

Debian

CVE-2024-40898: apache2 - SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, ...↗2024

▶

Apache

Apache httpd: CVE-2024-40898↗

▶

💬Community

HackerOne

important: Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows (CVE-2024-40898)↗2024-08-27

▶