Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
The vulnerability exists in the core of Apache HTTP Server and is triggered by responses returned by backend applications. When a backend returns maliciously crafted HTTP response headers, the Apache server processes them in a way that can lead to disclosure of sensitive data, execution of SSRF requests to internal resources, or triggering of local scripts. An attacker can potentially influence the behavior of the frontend server by controlling or compromising the backend layer.
An attacker can gain access to sensitive information, execute requests to internal network resources (SSRF), or cause local script execution on the server, which could result in complete system compromise.
Apache HTTP Server should be updated to version 2.4.60 or later, which contains a fix for this vulnerability. NetApp Clustered Data ONTAP users should apply patches according to NetApp recommendations available at https://security.netapp.com/advisory/ntap-20240712-0001/.
Apache HTTP Server version 2.4.59 and earlier; NetApp Clustered Data ONTAP (specific versions indicated in NetApp vendor references).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache HTTP Server
APPApache2.4.0 – 2.4.60 (bez)Netapp Clustered Data Ontap
OSNetapp9.0
Related vulnerabilities
Apache HTTP Server mod_rewrite — ujawnienie kodu i RCE poprzez błędne escapowanie
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could ...
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a ...
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remot...
Use-after-free w Apache HTTP Server z mod_ldap (CVE-2026-29167)