{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-38477", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-06-17T11:11:30.174Z", "datePublished": "2024-07-01T18:16:11.935Z", "dateUpdated": "2024-09-13T17:04:58.395Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.59", "status": "affected", "version": "2.4.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Orange Tsai (@orange_8361) from DEVCORE"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.<br>Users are recommended to upgrade to version 2.4.60, which fixes this issue."}], "value": "null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-07-01T18:16:11.935Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240712-0001/"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2024-04-01T12:00:00.000Z", "value": "Reported"}], "title": "Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-22T16:23:13.858578Z", "id": "CVE-2024-38477", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-22T16:23:33.260Z"}}, {"title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240712-0001/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/01/10"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T17:04:58.395Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240712-0001/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/01/10"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T17:04:58.395Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38477", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-22T16:23:13.858578Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-22T16:23:24.134Z"}}], "cna": {"title": "Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Orange Tsai (@orange_8361) from DEVCORE"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache HTTP Server", "versions": [{"status": "affected", "version": "2.4.0", "versionType": "semver", "lessThanOrEqual": "2.4.59"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-04-01T12:00:00.000Z", "value": "Reported"}], "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["vendor-advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20240712-0001/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.", "supportingMedia": [{"type": "text/html", "value": "null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.<br>Users are recommended to upgrade to version 2.4.60, which fixes this issue.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-07-01T18:16:11.935Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38477", "state": "PUBLISHED", "dateUpdated": "2024-09-13T17:04:58.395Z", "dateReserved": "2024-06-17T11:11:30.174Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-07-01T18:16:11.935Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "13126636-FD76-4E3E-B949-14A5082DE02A", "versionEndExcluding": "2.4.60", "versionStartIncluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:clustered_data_ontap:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "C3ED302E-F464-40DE-A976-FD518E42D95D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue."}, {"lang": "es", "value": "La desreferencia del puntero nulo en mod_proxy en Apache HTTP Server 2.4.59 y versiones anteriores permite a un atacante bloquear el servidor mediante una solicitud maliciosa. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.4.60, que soluciona este problema."}], "id": "CVE-2024-38477", "lastModified": "2024-08-21T15:11:30.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-01T19:15:05.083", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240712-0001/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security@apache.org", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-httpd-0:2.4.57-13.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_http2-0:1.15.19-41.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_jk-0:1.2.49-11.redhat_1.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_md-1:2.4.24-11.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-8.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_security-0:2.9.3-40.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-httpd-0:2.4.57-13.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_http2-0:1.15.19-41.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_jk-0:1.2.49-11.redhat_1.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_md-1:2.4.24-11.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-8.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:5239", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_security-0:2.9.3-40.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-08-13T00:00:00Z"}, {"advisory": "RHSA-2024:4938", "cpe": "cpe:/o:redhat:rhel_aus:7.7", "package": "httpd-0:2.4.6-90.el7_7.4", "product_name": "Red Hat Enterprise Linux 7.7 Advanced Update Support", "release_date": "2024-07-31T00:00:00Z"}, {"advisory": "RHSA-2024:4943", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "httpd-0:2.4.6-99.el7_9.2", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-07-31T00:00:00Z"}, {"advisory": "RHSA-2024:4720", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "httpd:2.4-8100020240712114234.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-23T00:00:00Z"}, {"advisory": "RHSA-2024:4820", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "httpd:2.4-8020020240720043142.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4830", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "httpd:2.4-8040020240720035525.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4830", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "httpd:2.4-8040020240720035525.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4830", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "httpd:2.4-8040020240720035525.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4827", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "httpd:2.4-8060020240719220036.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4827", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "httpd:2.4-8060020240719220036.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4827", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "httpd:2.4-8060020240719220036.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-07-24T00:00:00Z"}, {"advisory": "RHSA-2024:4719", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "httpd:2.4-8080020240717184413.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-07-23T00:00:00Z"}, {"advisory": "RHSA-2024:4726", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "httpd-0:2.4.57-11.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-07-23T00:00:00Z"}, {"advisory": "RHSA-2024:4863", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "httpd-0:2.4.51-7.el9_0.7", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-07-25T00:00:00Z"}, {"advisory": "RHSA-2024:4862", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "httpd-0:2.4.53-11.el9_2.8", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-25T00:00:00Z"}, {"advisory": "RHSA-2024:5240", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "jbcs-httpd24-httpd", "product_name": "Red Hat JBoss Core Services 1", "release_date": "2024-08-13T00:00:00Z"}], "bugzilla": {"description": "httpd: NULL pointer dereference in mod_proxy", "id": "2295016", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295016"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-476", "details": ["null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.", "A flaw was found in the mod_proxy module of httpd. A NULL pointer dereference can be triggered when processing a specially crafted HTTP request, causing the httpd server to crash, and resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2024-38477", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Affected", "package_name": "httpd", "product_name": "Red Hat JBoss Core Services"}], "public_date": "2024-07-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-38477\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38477\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38477"], "statement": "As this flaw allows a remote attacker to cause a denial of service, it has been rated with an important severity.\nThis flaw only affects configurations with mod_proxy loaded and being used. This module can be disabled via the configuration file if its functionality is not being used.", "threat_severity": "Important"}