CVE-2024-40725

2024-07-1810:15:02

CWE-668

apache

web.nvd.nist.gov

apache http server

cve-2024-39884

source code disclosure

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.1

Confidence

Low

EPSS

0.001

Percentile

38.6%

JSON

A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. “AddType” and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.

Users are recommended to upgrade to version 2.4.62, which fixes this issue.

Affected configurations

Nvd

Vulners

Node

apachehttp_serverMatch2.4.60

apachehttp_serverMatch2.4.61

VendorProductVersionCPE
apachehttp_server2.4.60cpe:2.3:a:apache:http_server:2.4.60:*:*:*:*:*:*:*
apachehttp_server2.4.61cpe:2.3:a:apache:http_server:2.4.61:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	http_server	2.4.60	cpe:2.3:a:apache:http_server:2.4.60:::::::*
apache	http_server	2.4.61	cpe:2.3:a:apache:http_server:2.4.61:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache HTTP Server",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "2.4.61",
        "status": "affected",
        "version": "2.4.60",
        "versionType": "semver"
      }
    ]
  }
]