CVE-2024-38474

Published Jul 1, 2024

Last updated a year ago

CVSS critical 9.8
HTTP

Overview

Description
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
Source
security@apache.org
NVD status
Modified
Products
http_server, clustered_data_ontap

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@apache.org
CWE-116

Social media

Hype score
Not currently trending

  1. ‼️ Critical Apache vulnerability in Ubuntu 14.04 LTS (CVE-2024-38474/75). Attackers can crash servers or execute scripts via mod_rewrite. Patch ASAP! 🔗Read more: 👉 https://t.co/TJjpeYMRVs #InfoSec #DevOps #Ubuntu https://t.co/DWscRiB82a

    @Cezar_H_Linux

    21 Jul 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Akhir tahun kita closingan dengan BloodHound dan httpX karna PoC buat CVE udah banyak banget, tenkyu gxc dan kawan-kawan. > CVE-2024-38472 > CVE-2024-39573 > CVE-2024-38477 > CVE-2024-38476 > CVE-2024-38475 > CVE-2024-38474 > CVE-2024-38473 > CVE-2023-387

    @byt3n33dl3

    31 Dec 2024

    83 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. mrmtwoj/apache-vulnerability-testing: Apache HTTP Server Vulnerability Testing Tool | PoC for CVE-2024-38472 , CVE-2024-39573 , CVE-2024-38477 , CVE-2024-38476 , CVE-2024-38475 , CVE-2024-38474 , CVE-2024-38473 , CVE-2023-38709 https://t.co/1vHVQPeJmm

    @Alra3ees

    30 Dec 2024

    4962 Impressions

    33 Retweets

    132 Likes

    111 Bookmarks

    1 Reply

    0 Quotes

  4. GitHub - mrmtwoj/apache-vulnerability-testing: Apache HTTP Server Vulnerability Testing Tool | PoC for CVE-2024-38472 , CVE-2024-39573 , CVE-2024-38477 , CVE-2024-38476 , CVE-2024-38475 , CVE-2024-38474 , CVE-2024-38473 , CVE-2023-38709 https://t.co/wxO2nxclqJ

    @akaclandestine

    14 Dec 2024

    2095 Impressions

    16 Retweets

    48 Likes

    27 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.CVE-2026-28780
  2. Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.CVE-2026-29168
  3. HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.CVE-2026-33523
  4. A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue.CVE-2026-33007
  5. Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.CVE-2026-23918

References

Sources include official advisories and independent security research.