Apache HTTP Server 2.4.59 and earlier: mod_rewrite Improper Escaping Bypass
CVE-2024-38475 Published on July 1, 2024

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

Vendor Advisory NVD

Known Exploited Vulnerability

This Apache HTTP Server Improper Escaping of Output Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Apache HTTP Server contains an improper escaping of output vulnerability in mod_rewrite that allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.

The following remediation steps are recommended / required by May 22, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2024-38475 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

What is an Output Sanitization Vulnerability?

The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CVE-2024-38475 has been classified to as an Output Sanitization vulnerability or weakness.


Products Associated with CVE-2024-38475

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-38475 are published in these products:

Canonical Ubuntu Linux
 
Apache HTTP Server
 
Red Hat Http Server
 
Oracle
 
NetApp Ontap 9
 

Affected Versions

Apache Software Foundation Apache HTTP Server: apache http_server: netapp ontap_9:

Exploit Probability

EPSS
93.93%
Percentile
99.87%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.