CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-38476

CVSS 9.8v3.1pub. 2024-07-01upd. 2025-11-03

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

🤖 AI Analysis
How it works

The vulnerability exists in the core of Apache HTTP Server and is triggered by responses returned by backend applications. When a backend returns maliciously crafted HTTP response headers, the Apache server processes them in a way that can lead to disclosure of sensitive data, execution of SSRF requests to internal resources, or triggering of local scripts. An attacker can potentially influence the behavior of the frontend server by controlling or compromising the backend layer.

Impact

An attacker can gain access to sensitive information, execute requests to internal network resources (SSRF), or cause local script execution on the server, which could result in complete system compromise.

Mitigation & patch

Apache HTTP Server should be updated to version 2.4.60 or later, which contains a fix for this vulnerability. NetApp Clustered Data ONTAP users should apply patches according to NetApp recommendations available at https://security.netapp.com/advisory/ntap-20240712-0001/.

Who is affected

Apache HTTP Server version 2.4.59 and earlier; NetApp Clustered Data ONTAP (specific versions indicated in NetApp vendor references).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache HTTP Server

    APP
    Apache
    2.4.0 – 2.4.60 (bez)
  • Netapp Clustered Data Ontap

    OS
    Netapp
    9.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
SSRF
CWE
References

Related vulnerabilities

CVE-2024-38475CRITICAL9.1⚠ KEVPL ✓ten sam produkt

Apache HTTP Server mod_rewrite — ujawnienie kodu i RCE poprzez błędne escapowanie

CVE-2021-42013CRITICAL9.8⚠ KEVten sam produkt

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could ...

CVE-2021-41773CRITICAL9.8⚠ KEVten sam produkt

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a ...

CVE-2021-40438CRITICAL9.0⚠ KEVten sam produkt

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remot...

CVE-2026-29167CRITICAL9.8PL ✓ten sam produkt

Use-after-free w Apache HTTP Server z mod_ldap (CVE-2026-29167)