CVE-2024-47252

CWE-150 CWE-11712 documents9 sources

Severity

7.5HIGH

EPSS

0.2%

top 60.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server

Timeline

PublishedJul 10

Latest updateJan 15

Description

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDapache/http_server2.4.0 — 2.4.64

▶CVEListV5apache_software_foundation/apache_http_server2.4 — 2.4.63

▶Alpineapache2< 2.4.64-r0+4

▶Debianapache2< 2.4.65-1~deb11u1+3

🔴Vulnerability Details

OSV

apache2 vulnerabilities↗2025-07-16

▶

OSV

CVE-2024-47252: Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2↗2025-07-10

▶

GHSA

GHSA-2qfr-q5v6-m43q: Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2↗2025-07-10

▶

OSV

CVE-2024-47252: Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2↗2025-07-10

▶

CVEList

Apache HTTP Server: mod_ssl error log variable escaping↗2025-07-10

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: SSL module (Apache HTTP Server) — CVE-2024-47252↗2026-01-15

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2025-08-19

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2025-07-16

▶

Red Hat

httpd: insufficient escaping of user-supplied data in mod_ssl↗2025-07-14

▶

Microsoft

Apache HTTP Server: mod_ssl error log variable escaping↗2025-07-08

▶