Show plain JSON{"affected_release": [{"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-httpd-0:2.4.57-13.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_http2-0:1.15.19-41.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_jk-0:1.2.49-11.redhat_1.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_md-1:2.4.24-11.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-8.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_security-0:2.9.3-40.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-httpd-0:2.4.57-13.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_http2-0:1.15.19-41.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_jk-0:1.2.49-11.redhat_1.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_md-1:2.4.24-11.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-8.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_security-0:2.9.3-40.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:4720", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "httpd:2.4-8100020240712114234.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-23T00:00:00Z"}, {"advisory": "RHSA-2024:4726", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "httpd-0:2.4.57-11.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-07-23T00:00:00Z"}, {"advisory": "RHSA-2024:5001", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "httpd-0:2.4.53-11.el9_2.10", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-08-06T00:00:00Z"}, {"advisory": "RHSA-2024:5240", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "jbcs-httpd24-httpd", "product_name": "Text-Only JBCS", "release_date": "2024-08-13T00:00:00Z"}], "bugzilla": {"description": "httpd: Encoding problem in mod_proxy", "id": "2295012", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295012"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-116", "details": ["Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.", "A flaw was found in the mod_proxy module of httpd. Due to an encoding problem, specially crafted request URLs with incorrect encoding can be sent to backend services, potentially bypassing authentication."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-38473", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat JBoss Core Services"}], "public_date": "2024-07-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-38473\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38473\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38473"], "statement": "This issue affects configurations where mechanisms other than ProxyPass/ProxyPassMatch or RewriteRule with the 'P' flag are used to configure a request to be proxied, such as SetHandler or inadvertent proxying via CVE-2024-39573. Note that these alternate mechanisms may be used within .htaccess files.\nFor more information about CVE-2024-39573, see https://access.redhat.com/security/cve/CVE-2024-39573.\nAdditionally, this flaw requires mod_proxy to be loaded and being used. This module can be disabled if its functionality is not needed.\nRed Hat Enterprise Linux 6 is not affected by this vulnerability because the vulnerable code was introduced in a newer version of httpd.", "threat_severity": "Moderate"}