CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-38474

CVSS 9.8v3.1pub. 2024-07-01upd. 2025-03-25

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

🤖 AI Analysis
How it works

The issue results from improper substitution encoding in RewriteRule rules of the mod_rewrite module. When rules capture and substitute input data in an unsafe manner, it is possible to construct a request that bypasses URL access restrictions and directs the server to execute a script located in a directly inaccessible directory, or disclose the contents of that script instead of executing it. The vulnerability can be exploited remotely, without authentication and user interaction. After applying the patch, RewriteRule rules performing unsafe substitutions will be rejected unless the 'UnsafeAllow3F' flag is explicitly set.

Impact

An attacker can remotely execute unauthorized CGI scripts in directories protected from direct URL access or gain access to the source code of these scripts, which may lead to disclosure of sensitive data (e.g., credentials, application logic) and compromise of system integrity and availability.

Mitigation & patch

Apache HTTP Server should be updated to version 2.4.60, which eliminates this vulnerability. NetApp Clustered Data ONTAP users should apply patches according to the vendor advisory (ntap-20240712-0001). Additionally, existing RewriteRule rules should be reviewed for unsafe substitutions — rules requiring previous behavior must be marked with the 'UnsafeAllow3F' flag.

Who is affected

Apache HTTP Server version 2.4.59 and earlier; NetApp Clustered Data ONTAP (versions indicated in vendor references)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache HTTP Server

    APP
    Apache
    2.4.0 – 2.4.60 (bez)
  • Netapp Clustered Data Ontap

    OS
    Netapp
    9.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2024-38475CRITICAL9.1⚠ KEVPL ✓ten sam produkt

Apache HTTP Server mod_rewrite — ujawnienie kodu i RCE poprzez błędne escapowanie

CVE-2021-42013CRITICAL9.8⚠ KEVten sam produkt

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could ...

CVE-2021-41773CRITICAL9.8⚠ KEVten sam produkt

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a ...

CVE-2021-40438CRITICAL9.0⚠ KEVten sam produkt

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remot...

CVE-2026-29167CRITICAL9.8PL ✓ten sam produkt

Use-after-free w Apache HTTP Server z mod_ldap (CVE-2026-29167)