CVE-2024-38476: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
Published Jul 1, 2024
·Updated
Apache. This is a vulnerability in open source code and Apple Software among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
Credit
CVE-2024-39573, CVE-2024-38477, CVE-2024-38476, an anonymous researcher, Ivan Fratric(Google Project Zero), Mickey Jin@@patch1t, K宝@@Pwnrin, Kirin@@Pwnrin, 7feilee, pattern-f@@pattern_F_(Loadshine Lab), Hikerell(Loadshine Lab), Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), Alexandre Bedard, Ronny Stiftel, Wang Yu(Cyberserval), Junsung Lee(Trend Micro Zero Day Initiative), Jex Amro, Zhongquan Li@@Guluisacat, Ye Zhang@@VAR10CK(Baidu Security), Mateusz Krzywicki@@krzywix, Garrett Moon(Excited Pixel LLC), Arsenii Kostromin (0x3c3e), Ben Roeder, Toomas Römer, Jaime Bertran, Noah Gregory (wts.dev), Un3xploitable(CW Research Inc), Bohdan Stasiuk@@Bohdan_Stasiuk(CW Research Inc), Pedro Tôrres@@t0rr3sp3dr0, Mickey Jin@@patch1t(Kandji), Csaba Fitzl@@theevilbit(Kandji), an anonymous researcher(Dawn Security Lab of JD), Yinyi Wu@@_3ndy1(Dawn Security Lab of JD), Narendra Bhati(Cyber Security at Suma Soft Pvt), Manager(Cyber Security at Suma Soft Pvt), Pune (India), Lucas Di Tomase, Ryan Dowd@@_rdowd, Gergely Kalman@@gergely_kalman, Csaba Fitzl@@theevilbit, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Halle Winkler, Politepix (theoffcuts.org), Bing Shi(Alibaba Group), Wenchao Li(Alibaba Group), Xiaolong Bai(Alibaba Group), (Indiana University Bloomington), Luyi Xing(Indiana University Bloomington), dw0r!(Trend Micro Zero Day Initiative), Rodolphe Brunetti@@eisw0lf, Cristian Dinca (icmd.tech), Wojciech Regula(SecuRing), Q1IQ@@q1iqF, P1umer@@p1umer, Bohdan Stasiuk@@Bohdan_Stasiuk
Affected Software
6 affected componentsFixes available
debian/apache2
2.4.62-1~deb11u12.4.61-1~deb11u12.4.62-1~deb12u12.4.62-1~deb12u22.4.62-3
Apple macOS Sequoia<15.1
15.1
Apache HTTP Server>=2.4.0<=2.4.60
NetApp Clustered Data ONTAP=9.0
Apache HTTP Server>=2.4.0<2.4.60
F5 Traffix SDC=5.2.0, =5.1.0
Remediation
Patch Available
Event History
Jul 1, 2024
CVE Published
via MITRE·06:15 PM
Data Sourced
via MITRE·06:15 PM
DescriptionWeakness
Data Sourced
via NVD·07:15 PM
DescriptionSeverityWeaknessAffected Software
Data Sourced
via Red Hat·07:22 PM
DescriptionSeverityAffected Software
Aug 8, 2024
Advisory Published
via F5·03:53 AM
Sep 18, 2024
Data Sourced
via Ubuntu·06:40 PM
RemedyDescriptionSeverityAffected Software
Oct 28, 2024
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2024-38476?
CVE-2024-38476 has been rated with high severity due to its impact on the core of Apache HTTP Server versions 2.4.59 and earlier.
2
How do I fix CVE-2024-38476?
To fix CVE-2024-38476, update Apache HTTP Server to version 2.4.62-1~deb11u1 or later.
3
What versions of Apache HTTP Server are affected by CVE-2024-38476?
CVE-2024-38476 affects Apache HTTP Server versions 2.4.59 and earlier.
4
Which operating systems are impacted by CVE-2024-38476?
CVE-2024-38476 impacts multiple operating systems, including Debian and macOS Sequoia.
5
Is there a workaround for CVE-2024-38476?
Currently, the recommended mitigation for CVE-2024-38476 is to upgrade to the latest version of Apache HTTP Server.