Apache HTTP Server 2.4.60 regression enables local source disclosure via AddType
CVE-2024-39884 Published on July 4, 2024

Apache HTTP Server: source code disclosure with handlers configured via AddType
A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2024-39884 is exploitable with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Timeline

reported


Products Associated with CVE-2024-39884

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-39884 are published in these products:

Canonical Ubuntu Linux
 
Apache HTTP Server
 
Oracle
 
NetApp Ontap Tools
 
Microsoft Http Server
 

Affected Versions

Apache Software Foundation Apache HTTP Server Version 2.4.60 is affected by CVE-2024-39884

Exploit Probability

EPSS
0.25%
Percentile
47.58%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.