CVE-2024-38476

CRITICAL

Apache HTTP Server <2.4.60 - Info Disclosure/SSRF

Title source: llm

Description

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Exploits (2)

github SCANNER 123 stars

by mrmtwoj · pythonpoc

https://github.com/mrmtwoj/apache-vulnerability-testing

View Code ZIP pw:eip

nomisec WRITEUP

by abanop22333 · poc

https://github.com/abanop22333/Apache-Authentication-Flaw-Research-CVE-2024-38476-

View Code ZIP pw:eip

References (4)

[Vendor Advisory] https://httpd.apache.org/security/vulnerabilities_24.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20240712-0001/

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2024/07/01/9

[Mailing List] http://seclists.org/fulldisclosure/2024/Oct/11

Scores

CVSS v3 9.8

EPSS 0.0345

EPSS Percentile 87.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-829

Status published

Affected Products (2)

apache/http_server < 2.4.60

netapp/clustered_data_ontap

Timeline

Published Jul 01, 2024

Tracked Since Feb 18, 2026