Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.

In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 29 Jul 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache http Server
CPEs cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
Vendors & Products Apache http Server

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00018}

epss

{'score': 0.00041}


Tue, 15 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Mon, 14 Jul 2025 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-117
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

threat_severity

Moderate


Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00018}


Thu, 10 Jul 2025 17:00:00 +0000

Type Values Removed Values Added
Description Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
Title Apache HTTP Server: mod_ssl error log variable escaping
Weaknesses CWE-150
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-07-15T19:56:38.784Z

Reserved: 2024-09-23T15:25:33.808Z

Link: CVE-2024-47252

cve-icon Vulnrichment

Updated: 2025-07-11T16:06:36.176Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-10T17:15:46.400

Modified: 2025-07-29T15:15:35.107

Link: CVE-2024-47252

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-07-14T07:17:04Z

Links: CVE-2024-47252 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-07-12T22:09:39Z