#VU93542 Input validation error in Apache HTTP Server - CVE-2024-38475


| Updated: 2025-05-01

Vulnerability identifier: #VU93542

Vulnerability risk: Critical

CVSSv4.0: 9.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2024-38475

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Apache HTTP Server
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in mod_rewrite when first segment of substitution matches filesystem path. A remote attacker can map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL and view contents of files or execute arbitrary code.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache HTTP Server: 2.4 - 2.4.59

External links
https://lists.apache.org/thread/tzks8jdmh39hbl723d1xq61mcl4ndv13

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.


Latest bulletins with this vulnerability


Anolis OS update for httpd
Anolis OS update for httpd
Anolis OS update for httpd:2.4 module
Multiple vulnerabilities in IBM Cloud Pak for AIOps
Multiple vulnerabilities in HPE HP-UX Apache Web Server
Multiple vulnerabilities in Oracle HTTP Server
Multiple vulnerabilities in Oracle SD-WAN Edge
Multiple vulnerabilities in Dell OpenManage Enterprise Modular
IBM Power Hardware Management Console (HMC) update for Apache HTTP Server
Multiple vulnerabilities in IBM Planning Analytics