CVE-2024-38475 : Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earl

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

Published 2024-07-01 18:15:12

Updated 2025-05-02 15:44:00

Source Apache Software Foundation

View at NVD, CVE.org

Products affected by CVE-2024-38475

Apache » Http Server
Versions from including (>=) 2.4.0 and before (<) 2.4.60
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
Matching versions
Netapp » Ontap 9 » Version: N/A
cpe:2.3:a:netapp:ontap_9:-:*:*:*:*:*:*:*
Matching versions

CVE-2024-38475 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Apache HTTP Server Improper Escaping of Output Vulnerability

CISA required action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA description:

Apache HTTP Server contains an improper escaping of output vulnerability in mod_rewrite that allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclo

Notes:

This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://httpd.apache.org/security/vulnerabilities_24.html ; https://nvd.n

Added on 2025-05-01 Action due date 2025-05-22

Exploit prediction scoring system (EPSS) score for CVE-2024-38475

EPSS FAQ

92.40%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-38475

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N	3.9	5.2	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-07-08
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2024-38475

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Assigned by:
- f0158376-9dc2-43b6-827c-5f631a4d8d09 (Primary)
- security@apache.org (Secondary)

References for CVE-2024-38475

https://www.blackhat.com/us-24/briefings/schedule/index.html#confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-pre-recorded-40227

Third Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.html

httpd 2.4 vulnerabilities - The Apache HTTP Server Project
Vendor Advisory

CVEs referencing this url
https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf

Patch
https://security.netapp.com/advisory/ntap-20240712-0001/

July 2024 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2024/07/01/8

Third Party Advisory