CVE-2024-38474: Apache HTTP Server weakness with encoded question marks in backreferences

Published Jul 1, 2024
·
Updated

CVE-2024-38474 Substitution encoding issue in modrewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. CVE-2024-38475 Improper escaping of output in modrewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

Affected Software

10 affected componentsFixes available
debian/apache2
2.4.62-1~deb11u12.4.61-1~deb11u12.4.62-1~deb12u12.4.62-1~deb12u22.4.62-3
Apache HTTP Server>=2.4.0<2.4.60
NetApp Clustered Data ONTAP=9.0
F5 BIG-IP>=17.1.0<=17.1.2
17.5.017.1.2.2
F5 BIG-IP>=16.1.0<=16.1.5
16.1.6
F5 BIG-IP>=15.1.0<=15.1.10
F5 Traffix SDC=5.2.0, =5.1.0
IBM R10.0<=10.1.3.0 10.0.245.0
IBM R9.4<=89.42.18.0 89.41.25.0 89.40.83.0
IBM R9.3<=89.33.52.0 89.33.45.0

Remediation

Patch Available

https://svn.apache.org/viewvc?view=revision&revision=1918561

Patch Available

https://github.com/apache/httpd/commit/1feb5e04a4f7b5f3f13cd40f9635144319dcf24a

Event History

Jul 1, 2024
CVE Published
via MITRE·06:14 PM
Data Sourced
via MITRE·06:14 PM
DescriptionWeakness
Data Sourced
via Red Hat·07:21 PM
DescriptionSeverityAffected Software
Aug 8, 2024
Advisory Published
via F5·04:56 AM
Sep 18, 2024
Data Sourced
via Ubuntu·06:40 PM
RemedyDescriptionSeverityAffected Software
May 27, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-38474?

CVE-2024-38474 is rated as a critical vulnerability due to its potential to allow remote code execution.

2

How do I fix CVE-2024-38474?

To fix CVE-2024-38474, upgrade to the patched versions of affected Apache HTTP Server packages as specified by your vendor.

3

What products are affected by CVE-2024-38474?

CVE-2024-38474 affects Apache HTTP Server versions prior to 2.4.62 as well as certain versions of IBM Planning Analytics and F5 BIG-IP.

4

Can CVE-2024-38474 be exploited remotely?

Yes, CVE-2024-38474 can be exploited remotely by sending specially crafted requests to vulnerable servers.

5

Is there a known exploit for CVE-2024-38474?

Yes, proof-of-concept exploits for CVE-2024-38474 have been demonstrated, increasing the urgency of applying security updates.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203