CVE-2024-38475

Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path.

Severity Score

9.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.

Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

El escape inadecuado de la salida en mod_rewrite en Apache HTTP Server 2.4.59 y versiones anteriores permite a un atacante asignar URL a ubicaciones del sistema de archivos que el servidor permite servir, pero a las que no se puede acceder intencional o directamente mediante ninguna URL, dando como resultado la ejecución del código o la divulgación del código fuente. Las sustituciones en el contexto del servidor que utilizan referencias inversas o variables como primer segmento de la sustitución se ven afectadas. Este cambio romperá algunas RewiteRules inseguras y el indicador de reescritura "UnsafePrefixStat" se puede usar para volver a participar una vez que se garantice que la sustitución esté restringida adecuadamente.

A flaw was found in the mod_rewrite module of httpd. Improper escaping of output allows an attacker to map URLs to filesystem locations permitted to be served by the server but are not intentionally or directly reachable by any URL. This issue results in code execution or source code disclosure.

*Credits: Orange Tsai (@orange_8361) from DEVCORE

CVSS Scores

CISAv3.1 9.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-06-17 CVE Reserved
2024-07-01 CVE Published
2024-07-02 EPSS Updated
2024-08-18 First Exploit
2024-09-13 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-116: Improper Encoding or Escaping of Output

CAPEC

References (5)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20240712-0001

URL	Date	SRC
https://github.com/p0in7s/CVE-2024-38475	2024-08-18

URL	Date	SRC

URL	Date	SRC
https://httpd.apache.org/security/vulnerabilities_24.html	2024-07-12
https://access.redhat.com/security/cve/CVE-2024-38475	2024-08-13
https://bugzilla.redhat.com/show_bug.cgi?id=2295014	2024-08-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache HTTP Server Search vendor "Apache Software Foundation" for product "Apache HTTP Server"				>= 2.4.0 <= 2.4.59 Search vendor "Apache Software Foundation" for product "Apache HTTP Server" and version " >= 2.4.0 <= 2.4.59"		en		Affected