CVE-2024-38474

2024-07-0119:15:04

CWE-116

[email protected]

web.nvd.nist.gov

cve-2024-38474

mod_rewrite

script execution

cgi

configuration

upgrade

unsafeallow3f

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.2%

JSON

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in
directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.

Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag “UnsafeAllow3F” is specified.

Affected configurations

Vulners

Node

apache_software_foundationapache_strutsRange≤2.4.59

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache HTTP Server",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "2.4.59",
        "status": "affected",
        "version": "2.4.0",
        "versionType": "semver"
      }
    ]
  }
]