BIT-APACHE-2024-38472

SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new...

BIT-APACHE-2024-38473 Apache HTTP Server proxy encoding problem

Encoding problem in modproxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue...

BIT-APACHE-2024-38474 Apache HTTP Server weakness with encoded question marks in backreferences

Substitution encoding issue in modrewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to...

BIT-APACHE-2024-38475 Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path.

Improper escaping of output in modrewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure...

BIT-APACHE-2024-38477 Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request

null pointer dereference in modproxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue...

Internet Bug Bounty: moderate: Apache HTTP Server: HTTP response splitting (CVE-2023-38709)

moderate: Apache HTTP Server: HTTP response splitting CVE-2023-38709 Faulty input validation in the core of Apache allowed malicious or exploitable backend/content generators to split HTTP responses. This issue affected Apache HTTP Server through version 2.4.58...

Internet Bug Bounty: moderate: Apache HTTP Server: mod_rewrite proxy handler substitution (CVE-2024-39573) CWE-20 Improper Input Validation

moderate: Apache HTTP Server proxy encoding problem CVE-2024-38473 An encoding problem was discovered in modproxy in Apache HTTP Server versions 2.4.59 and earlier. This issue allowed request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via...

Internet Bug Bounty: important: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request (CVE-2024-38477)

important: Apache HTTP Server: Crash resulting in Denial of Service in modproxy via a malicious request CVE-2024-38477 A null pointer dereference vulnerability was discovered in modproxy in Apache HTTP Server versions 2.4.59 and earlier. This vulnerability allowed an attacker to crash the server ...

Internet Bug Bounty: important: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect (CVE-2024-38476)

The Apache HTTP Server vulnerability CVE-2024-38476 was discovered in versions 2.4.0 through 2.4.59. The vulnerability allowed the use of exploitable or malicious backend application output to run local handlers via internal redirect. Users were recommended to upgrade to version 2.4.60, which fix...

Internet Bug Bounty: important: Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path. (CVE-2024-38475)

The Apache HTTP Server was found to have a vulnerability in modrewrite where improper escaping of output allowed attackers to map URLs to filesystem locations that were permitted to be served by the server but were not intentionally/directly reachable by any URL. This resulted in potential code...

Internet Bug Bounty: important: Apache HTTP Server on WIndows UNC SSRF (CVE-2024-38472)

The Apache HTTP Server on Windows contained a SSRF vulnerability CVE-2024-38472 that allowed potential leakage of NTLM hashes to a malicious server. The vulnerability was reported through the official Apache HTTP Server security email on April 1, 2024 and was fixed in version 2.4.60 released on...

Internet Bug Bounty: important: Apache HTTP Server weakness with encoded question marks in backreferences (CVE-2024-38474)

The Apache HTTP Server versions 2.4.0 through 2.4.59 were affected by a substitution encoding issue in modrewrite that allowed attackers to execute scripts in directories permitted by the configuration, but not directly reachable by any URL, or disclose the source of scripts meant to be executed ...

SUSE CVE-2024-38477

null pointer dereference in modproxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue...

PT-2024-5594 · Apache +6 · Apache Http Server +6

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server version 2.4.60 Description: A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances...

KLA70210 SB vulnerability in Apache HTTP Server

Security bypass vulnerability was found in Apache HTTP Server. Malicious users can exploit this vulnerability to bypass security restrictions. Original advisories Fixed in Apache HTTP Server 2.4.61 Related products Apache-HTTP-Server CVE list CVE-2024-39884 unknown Solution Update to the latest...

Apache 2.4.x < 2.4.61

The version of Apache httpd installed on the remote host is prior to 2.4.61. It is, therefore, affected by a vulnerability as referenced in the 2.4.61 advisory. - Apache HTTP Server: source code disclosure with handlers configured via AddType: A regression in the core of Apache HTTP Server 2.4.60...

Vulnerabilities fixed in Apache HHTP server

Apache Software Foundation has fixed vulnerabilities in the Apache HTTP Server. A malicious party can exploit the vulnerabilities to cause a denial-of-service, manipulate traffic via Server-Side-Request-Forgery SSRF, or execute code within the Web server, which the malicious party is not initiall...

CVE-2024-38477

A flaw was found in the modproxy module of httpd. A NULL pointer dereference can be triggered when processing a specially crafted HTTP request, causing the httpd server to crash, and resulting in a denial of service. Mitigation Red Hat has investigated whether a possible mitigation exists for thi...

CVE-2024-38475

A flaw was found in the modrewrite module of httpd. Improper escaping of output allows an attacker to map URLs to filesystem locations permitted to be served by the server but are not intentionally or directly reachable by any URL. This issue results in code execution or source code disclosure...

CVE-2024-38473

A flaw was found in the modproxy module of httpd. Due to an encoding problem, specially crafted request URLs with incorrect encoding can be sent to backend services, potentially bypassing authentication. Mitigation Mitigation for this issue is either not available or the currently available optio...