Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
History

Fri, 13 Sep 2024 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 21 Aug 2024 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache http Server
Netapp
Netapp clustered Data Ontap
CPEs cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
cpe:2.3:o:netapp:clustered_data_ontap:9.0:*:*:*:*:*:*:*
Vendors & Products Apache
Apache http Server
Netapp
Netapp clustered Data Ontap
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Tue, 13 Aug 2024 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat jboss Core Services
CPEs cpe:/a:redhat:jboss_core_services:1
cpe:/a:redhat:jboss_core_services:1::el7
cpe:/a:redhat:jboss_core_services:1::el8
Vendors & Products Redhat jboss Core Services

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-07-01T18:14:47.004Z

Updated: 2024-09-13T17:04:55.485Z

Reserved: 2024-06-17T11:09:02.297Z

Link: CVE-2024-38474

cve-icon Vulnrichment

Updated: 2024-09-13T17:04:55.485Z

cve-icon NVD

Status : Modified

Published: 2024-07-01T19:15:04.760

Modified: 2024-11-21T09:26:02.947

Link: CVE-2024-38474

cve-icon Redhat

Severity : Important

Publid Date: 2024-07-01T00:00:00Z

Links: CVE-2024-38474 - Bugzilla