CVE-2024-43394 — Server-Side Request Forgery in Apache Http Server

CWE-918 — Server-Side Request Forgery7 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 84.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server

Timeline

PublishedJul 10

Description

Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. The server offers limited protection against administrators directing the server to open UNC pa…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/http_server2.4.0 — 2.4.64

▶CVEListV5apache_software_foundation/apache_http_server2.4.0 — 2.4.63

🔴Vulnerability Details

CVEList

Apache HTTP Server: SSRF on Windows due to UNC paths↗2025-07-10

▶

OSV

CVE-2024-43394: Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or ap↗2025-07-10

▶

OSV

CVE-2024-43394: Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or ap↗2025-07-10

▶

GHSA

GHSA-gxxm-rhpx-j39m: Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or ap↗2025-07-10

▶

📋Vendor Advisories

Red Hat

httpd: Apache HTTP Server: SSRF on Windows due to UNC paths↗2025-07-10

▶

Debian

CVE-2024-43394: apache2 - Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to po...↗2024

▶