CVE-2024-38472
Apache HTTP Server on WIndows UNC SSRF
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.
SSRF en el servidor Apache HTTP en Windows permite potencialmente filtrar hashes NTML a un servidor malicioso a través de SSRF y solicitudes o contenido maliciosos. Se recomienda a los usuarios actualizar a la versión 2.4.60, que soluciona este problema. Nota: Las configuraciones existentes que acceden a rutas UNC deberán configurar la nueva directiva "UNCList" para permitir el acceso durante el procesamiento de solicitudes.
SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.
A flaw was found in httpd on Windows systems. This issue potentially allows NTLM hashes to be leaked to a malicious server via Server-side request forgery (SSRF) and malicious requests or content.
SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.
Multiple vulnerabilities have been found in Apache HTTPD, the worst of which could result in denial of service. Versions greater than or equal to 2.4.62 are affected.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-06-17 CVE Reserved
- 2024-07-01 CVE Published
- 2024-08-03 First Exploit
- 2024-11-18 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20240712-0001 |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/Abdurahmon3236/CVE-2024-38472 | 2024-08-03 | |
| https://github.com/mrmtwoj/apache-vulnerability-testing | 2024-11-24 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://httpd.apache.org/security/vulnerabilities_24.html | 2024-07-12 | |
| https://access.redhat.com/security/cve/CVE-2024-38472 | 2024-09-24 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2295011 | 2024-09-24 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache HTTP Server Search vendor "Apache Software Foundation" for product "Apache HTTP Server" | >= 2.4.0 <= 2.4.59 Search vendor "Apache Software Foundation" for product "Apache HTTP Server" and version " >= 2.4.0 <= 2.4.59" | en |
Affected
| ||||||