CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy handler substitution

Published Jul 1, 2024
·
Updated

Apache HTTP Server is vulnerable to server-side request forgery, caused by a flaw in the mod_rewrite. By sending a specially crafted request, an attacker could exploit this vulnerability to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy.

Credit

CVE-2024-39573, CVE-2024-38477, CVE-2024-38476, an anonymous researcher, Ivan Fratric(Google Project Zero), Mickey Jin@@patch1t, K宝@@Pwnrin, Kirin@@Pwnrin, 7feilee, pattern-f@@pattern_F_(Loadshine Lab), Hikerell(Loadshine Lab), Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), Alexandre Bedard, Ronny Stiftel, Wang Yu(Cyberserval), Junsung Lee(Trend Micro Zero Day Initiative), Jex Amro, Zhongquan Li@@Guluisacat, Ye Zhang@@VAR10CK(Baidu Security), Mateusz Krzywicki@@krzywix, Garrett Moon(Excited Pixel LLC), Arsenii Kostromin (0x3c3e), Ben Roeder, Toomas Römer, Jaime Bertran, Noah Gregory (wts.dev), Un3xploitable(CW Research Inc), Bohdan Stasiuk@@Bohdan_Stasiuk(CW Research Inc), Pedro Tôrres@@t0rr3sp3dr0, Mickey Jin@@patch1t(Kandji), Csaba Fitzl@@theevilbit(Kandji), an anonymous researcher(Dawn Security Lab of JD), Yinyi Wu@@_3ndy1(Dawn Security Lab of JD), Narendra Bhati(Cyber Security at Suma Soft Pvt), Manager(Cyber Security at Suma Soft Pvt), Pune (India), Lucas Di Tomase, Ryan Dowd@@_rdowd, Gergely Kalman@@gergely_kalman, Csaba Fitzl@@theevilbit, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Halle Winkler, Politepix (theoffcuts.org), Bing Shi(Alibaba Group), Wenchao Li(Alibaba Group), Xiaolong Bai(Alibaba Group), (Indiana University Bloomington), Luyi Xing(Indiana University Bloomington), dw0r!(Trend Micro Zero Day Initiative), Rodolphe Brunetti@@eisw0lf, Cristian Dinca (icmd.tech), Wojciech Regula(SecuRing), Q1IQ@@q1iqF, P1umer@@p1umer, Bohdan Stasiuk@@Bohdan_Stasiuk

Affected Software

13 affected componentsFixes available
debian/apache2
2.4.62-1~deb11u12.4.61-1~deb11u12.4.62-1~deb12u12.4.62-1~deb12u22.4.62-3
IBM R10.0<=10.1.3.0 10.0.245.0
IBM R9.4<=89.42.18.0 89.41.25.0 89.40.83.0
IBM R9.3<=89.33.52.0 89.33.45.0
Apple macOS Sequoia<15.1
15.1
Apache HTTP Server>=2.4.0<2.4.60
NetApp Ontap=9
F5 BIG-IP>=17.1.0<=17.1.2
17.1.2.2
F5 BIG-IP>=16.1.0<=16.1.5
16.1.6
F5 BIG-IP>=15.1.0<=15.1.10
F5 F5OS-A=1.7.0, >=1.5.1<=1.5.2
F5 F5OS-C>=1.6.0<=1.6.2
F5 Traffix SDC=5.2.0, =5.1.0

Remediation

Patch Available

https://github.com/apache/httpd/commit/9494aa8d52e3c263bc0413b77ac8a73b0d524388

Patch Available

https://svn.apache.org/viewvc?view=revision&revision=1918600

Patch Available

https://github.com/apache/httpd/commit/93aec0e3ca451bcc97f6d91c14d5399d13a73365

Event History

Jul 1, 2024
CVE Published
via MITRE·06:16 PM
Data Sourced
via MITRE·06:16 PM
DescriptionWeakness
Data Sourced
via NVD·07:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·07:15 PM
Affected Software
Data Sourced
via Red Hat·07:23 PM
DescriptionSeverityAffected Software
Jul 20, 2024
Data Sourced
via Launchpad·06:31 PM
Description
Aug 13, 2024
Advisory Published
via F5·03:29 PM
Data Sourced
via F5·03:29 PM
DescriptionSeverityWeaknessAffected Software
Sep 14, 2024
Data Sourced
via Ubuntu·06:39 PM
RemedyDescriptionSeverityAffected Software
Oct 28, 2024
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-39573?

CVE-2024-39573 is classified as a high severity vulnerability due to the potential for server-side request forgery.

2

How do I fix CVE-2024-39573?

To fix CVE-2024-39573, upgrade to the patched versions of Apache HTTP Server or affected products as specified by the vendor.

3

What products are affected by CVE-2024-39573?

CVE-2024-39573 affects several products, including Apache HTTP Server versions prior to 2.4.62, IBM Planning Analytics, and various versions of F5 BIG-IP.

4

What is server-side request forgery in the context of CVE-2024-39573?

In CVE-2024-39573, server-side request forgery allows an attacker to make unauthorized requests to internal resources through manipulated RewriteRules.

5

Can I still use my web applications if they are vulnerable to CVE-2024-39573?

Using web applications vulnerable to CVE-2024-39573 poses significant security risks, and it is highly recommended to apply the necessary updates immediately.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203