CVE-2024-38476 Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect

2024-07-0118:15:40

CWE-829

apache

www.cve.org

cve-2024-38476

apache http server

information disclosure

ssrf

local script execution

upgrade

version 2.4.60

0.0004 Low

EPSS

Percentile

9.2%

JSON

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.

Users are recommended to upgrade to version 2.4.60, which fixes this issue.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache HTTP Server",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "2.4.59",
        "status": "affected",
        "version": "2.4.0",
        "versionType": "semver"
      }
    ]
  }
]