CVE-2024-38474
Publication date 1 July 2024
Last updated 18 September 2024
Ubuntu priority
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| apache2 | 24.10 oracular |
Fixed 2.4.62-1ubuntu1
|
| 24.04 LTS noble |
Fixed 2.4.58-1ubuntu8.2
|
|
| 22.04 LTS jammy |
Fixed 2.4.52-1ubuntu4.10
|
|
| 20.04 LTS focal |
Fixed 2.4.41-4ubuntu3.19
|
|
| 18.04 LTS bionic |
Fixed 2.4.29-1ubuntu4.27+esm3
|
|
| 16.04 LTS xenial |
Fixed 2.4.18-2ubuntu3.17+esm13
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProPatch details
| Package | Patch details |
|---|---|
| apache2 |
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6885-1
- Apache HTTP Server vulnerabilities
- 8 July 2024
- USN-6885-3
- Apache HTTP Server vulnerabilities
- 18 September 2024