CVE-2024-38475

Published Jul 1, 2024

Last updated 6 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2024-38475 involves improper output escaping in the `mod_rewrite` module of the Apache HTTP Server, specifically in versions 2.4.59 and earlier. This flaw allows an attacker to map URLs to filesystem locations that the server is permitted to serve but are not intended to be directly accessible. This vulnerability can lead to code execution or source code disclosure. The issue arises when substitutions in the server context use backreferences or variables as the initial segment of the substitution. While the fix might break some existing RewriteRules, the "UnsafePrefixStat" flag can be used to revert to the previous behavior if the substitution is appropriately constrained.

Description
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
Source
security@apache.org
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Apache HTTP Server Improper Escaping of Output Vulnerability
Exploit added on
May 1, 2025
Exploit action due
May 22, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

security@apache.org
CWE-116

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

1

  1. 🚨 CVE-2024-38475 in Apache HTTPD (mod_rewrite) allows unauth RCE & file read—now exploited in the wild in attacks on SonicWall SMA. 😬 Patch HTTPD to 2.4.60 ASAP and audit your infrastructure for products embedding Apache HTTPD! #Apache #SonicWall ➡️ https://t.co/F

    @leonov_av

    6 May 2025

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 STRIKE Threat Intel Advisory – CVE-2024-38475 🚨 SecurityScorecard’s STRIKE team is tracking active exposure of CVE-2024-38475 — a high-severity vulnerability (CVSS 9.1) affecting Apache HTTP Servers. On May 1, 2025, this vulnerability was added to CISA’s list

    @security_score

    6 May 2025

    159 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 Urgent: CISA confirms active exploitation of critical SonicWall SMA 100 flaws (CVE-2023-44221 & CVE-2024-38475). Patch now or restrict admin access—attackers are chaining these for full system compromise. Details: https://t.co/wH4g7CaLcj

    @RedTeamNewsBlog

    5 May 2025

    71 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Actively exploited CVE : CVE-2024-38475

    @transilienceai

    5 May 2025

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. 🚨 CISA has added two critical SonicWall vulnerabilities, CVE-2023-44221 and CVE-2024-38475, to the KEV catalog due to active exploitation. Remote OS command injection risks unauthorized control over these products. 🛡️ #SonicWall #CyberAlerts link: https://t.co/nhYbiHse66

    @TweetThreatNews

    5 May 2025

    118 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 米国サイバーセキュリティ機関CISAは、SonicWallの脆弱性CVE-2023-44221およびCVE-2024-38475を「既知の悪用脆弱性(KEV)」カタログに追加した。対象はSonicWallのSMA 100シリーズなどで、該当バージョン以降に更新されて

    @yousukezan

    5 May 2025

    644 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  7. SonicWall VPNの脆弱性CVE-2023-44221及びCVE-2024-38475に対応するPoC(攻撃の概念実証コード)が公表された。 https://t.co/zC1IzEp0w2

    @__kokumoto

    5 May 2025

    928 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  8. Actively exploited CVE : CVE-2024-38475

    @transilienceai

    4 May 2025

    100 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. 🔥 Breaking News: Cyber attackers are exploiting old vulnerabilities to breach SonicWall SMA appliances! 🚨 With flaws like CVE-2024-38475 & CVE-2023-44221 being targeted, it's more crucial than ever to prioritize security updates.

    @WideWatchers

    4 May 2025

    129 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Attackers exploited old flaws to breach SonicWall SMA appliances (CVE-2024-38475, CVE-2023-44221) - Help Net Security https://t.co/H4mEt1FIyD

    @PVynckier

    4 May 2025

    247 Impressions

    3 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. یکی از ماژول های معروف و پرکاربرد وب سرور apache ، ماژول mod_rewrite می باشد. به تازگی CISA به تمامی Adminهای وب سرور آپاچی در خصوص آسیب پذیری که مربوط به این ماژول می با

    @AmirHossein_sec

    4 May 2025

    167 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 📌 Active exploitation of SonicWall SMA 100 vulnerabilities (CVE-2024-38475, CVE-2023-44221) reported by watchTowr. Full system takeover possible. #CyberSecurity #SonicWall https://t.co/OBmtGYIdVa https://t.co/9c1ijmEQxs

    @CyberHub_blog

    4 May 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Actively exploited CVE : CVE-2024-38475

    @transilienceai

    4 May 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  14. CISA Flags Two New Actively Exploited Security Flaws: CVE-2024-38475 and CVE-2023-44221 https://t.co/RyWVDVY700

    @CyberSecuriUS

    4 May 2025

    193 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. SonicWall warns of two exploited vulnerabilities in SMA appliances, CVE-2023-44221 and CVE-2024-38475, advising customers to apply patches immediately. #Security https://t.co/TDEO2tnkHa

    @Strivehawk

    3 May 2025

    164 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. 米国CISAが悪用を確認した脆弱性 #KEV をカタログに追加しました。 🛡️No.1328 CVE-2024-38475 Apache HTTP Server Improper Escaping of Output Vulnerability ============= CVSSスコア:9.1 (Base) / CISA-ADP CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

    @piyokango

    3 May 2025

    4828 Impressions

    5 Retweets

    12 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  17. Actively exploited CVE : CVE-2024-38475

    @transilienceai

    3 May 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  18. 🚨 CVE-2024-38475 is now in the CISA KEV Catalog! This Apache HTTP Server vuln (≤2.4.59) lets attackers map URLs to unintended filesystem locations—risking code execution or source code exposure. KQL Detection: https://t.co/ydh6927aNF https://t.co/0mduJpWz7L

    @0x534c

    2 May 2025

    433 Impressions

    0 Retweets

    6 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  19. 🗞️ SonicWall SMA Devices Under Attack: Critical Flaws Actively Exploited SonicWall confirms active exploitation of CVE-2023-44221 and CVE-2024-38475 in SMA100 devices, enabling file access and session hijacking. Admins are urged to patch immediately to prevent remote code h

    @gossy_84

    2 May 2025

    90 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Des attaques contre les SSL-VPN SonicWall SMA série 100 signalées ! SonicWall a mis à jour ses avis de sécurité pour CVE-2023-44221 et CVE-2024-38475 et la CISA a ajouté ces deux CVE à la base KEV, indiquant des exploitations actives. https://t.co/UV8hj1ol9u

    @cert_ist

    2 May 2025

    86 Impressions

    2 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  21. 🚨 CVE-2024-38475 - critical 🚨 Sonicwall - Pre-Authentication Arbitrary File Read > Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier a... 👾 https://t.co/pAApk6hvtj @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    2 May 2025

    16 Impressions

    0 Retweets

    1 Like

    3 Bookmarks

    0 Replies

    0 Quotes

  22. CISA updates its Known Exploited Vulnerabilities Catalog with CVE-2024-38475 in Apache HTTP Server and CVE-2023-44221 in SonicWall SMA100 devices. Urgent patches are essential to prevent unauthorized access! ⚠️🔒 #CVE2024 #CyberThreat link: https://t.co/6LzRYakOG4 https://

    @TweetThreatNews

    2 May 2025

    82 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  23. #Attackers exploited old flaws to breach #SonicWall SMA appliances (#CVE-2024-38475, CVE-2023-44221) https://t.co/NRBg1XCzUK

    @ScyScan

    2 May 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. Actively exploited CVE : CVE-2024-38475

    @transilienceai

    2 May 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  25. 🔥 UPDATE - A public PoC exploit is now available for a serious SonicWall SMA exploit chain. ➡️ CVE-2024-38475: Apache HTTP Server flaw used to bypass auth ➡️ CVE-2023-44221: Post-auth command injection via Diagnostics menu CISA has added both to the KEV catalog — f

    @TheHackersNews

    2 May 2025

    12385 Impressions

    36 Retweets

    87 Likes

    17 Bookmarks

    2 Replies

    1 Quote

  26. Our client base has been feeding us rumours about in-the-wild exploited SonicWall SMA n-days (CVE-2023-44221, CVE-2024-38475) for a while... Given these are now CISA KEV, enjoy our now public analysis and reproduction :-) https://t.co/W3zR5YRifJ

    @watchtowrcyber

    1 May 2025

    16630 Impressions

    38 Retweets

    104 Likes

    27 Bookmarks

    2 Replies

    3 Quotes

  27. ⚠️NSOC Alert ⚠️CVE-2023-44221 (CVSS 7.2) & CVE-2024-38475 (CVSS 9.8) are actively exploited in SMA100 appliances, upgrade to firmware ≥ 10.2.1.14-75sv, restrict SSL-VPN management to trusted IPs, enforce MFA for admins, segment VPN gateways, and review access logs

    @cirtgovjm

    1 May 2025

    154 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2024-38475 #Apache HTTP Server Improper Escaping of Output Vulnerability https://t.co/53XaTCveoq

    @ScyScan

    1 May 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. SonicWall has reported that vulnerabilities CVE-2023-44221 and CVE-2024-38475 in its Secure Mobile Access (SMA) appliances are being actively exploited. https://t.co/G1uxQWef4V

    @securityRSS

    1 May 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. 🛡️SonicWall VPN Flaws Under Active Attack SonicWall warns SMA100 bugs CVE-2023-44221 & CVE-2024-38475 are exploited in the wild—enabling RCE & session hijacking. Patch to 10.2.1.14-75sv ASAP. CVE-2021-20035 also being hit. https://t.co/WPUJYfAETp #CyberSecurity

    @dCypherIO

    1 May 2025

    70 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. SonicWall warns several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited. SonicWall updated advisories for the CVE-2023-44221 and CVE-2024-38475 flaws as "potentially being exploited in the wild. https://t.co/h4pBYZjxJj https://

    @riskigy

    1 May 2025

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. Two new KEVs on KEVIntel this morning - CVE-2024-38475 (Apache Software Foundation) - CVE-2023-44221 (SonicWall) https://t.co/W3lvSheb1i

    @ethicalhack3r

    1 May 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  33. SonicWall reports active exploitation of vulnerabilities CVE-2023-44221 and CVE-2024-38475 in SMA100 appliances, risking command injection and unauthorized file access. Immediate system updates needed. 🚨 #SonicWall #NetworkSecurity #USA link: https://t.co/J5E82aAaP6 https://t

    @TweetThreatNews

    1 May 2025

    33 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  34. SonicWall Confirms Active Exploitation of SMA 100 Vulnerabilities - Urges Immediate Patching SonicWall warns of active attacks on SMA 100 devices via CVE-2023-44221 and CVE-2024-38475. Users urged to update firmware immediately. https://t.co/uFte5hi0UP

    @the_yellow_fall

    1 May 2025

    216 Impressions

    2 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. SonicWall warns of actively exploited vulnerabilities in its Secure Mobile Access appliances. Advisories for CVE-2023-44221 and CVE-2024-38475 were updated, affecting several devices patched in firmware 10.2.1.14-75sv. #Security https://t.co/wwJ4MNmZbX

    @Strivehawk

    30 Apr 2025

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. 🚨 SonicWall warns of high-severity vulnerabilities in SMA100 VPNs now being exploited! CVE-2023-44221 enables command injection, while CVE-2024-38475 allows remote code execution. #SonicWall #VulnerabilityAlert #USA link: https://t.co/KJnh0UEHV1 https://t.co/e1WXY5JPPa

    @TweetThreatNews

    30 Apr 2025

    14 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. Akhir tahun kita closingan dengan BloodHound dan httpX karna PoC buat CVE udah banyak banget, tenkyu gxc dan kawan-kawan. > CVE-2024-38472 > CVE-2024-39573 > CVE-2024-38477 > CVE-2024-38476 > CVE-2024-38475 > CVE-2024-38474 > CVE-2024-38473 > CVE-2023-387

    @byt3n33dl3

    31 Dec 2024

    83 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. mrmtwoj/apache-vulnerability-testing: Apache HTTP Server Vulnerability Testing Tool | PoC for CVE-2024-38472 , CVE-2024-39573 , CVE-2024-38477 , CVE-2024-38476 , CVE-2024-38475 , CVE-2024-38474 , CVE-2024-38473 , CVE-2023-38709 https://t.co/1vHVQPeJmm

    @Alra3ees

    30 Dec 2024

    4962 Impressions

    33 Retweets

    132 Likes

    111 Bookmarks

    1 Reply

    0 Quotes

  39. GitHub - mrmtwoj/apache-vulnerability-testing: Apache HTTP Server Vulnerability Testing Tool | PoC for CVE-2024-38472 , CVE-2024-39573 , CVE-2024-38477 , CVE-2024-38476 , CVE-2024-38475 , CVE-2024-38474 , CVE-2024-38473 , CVE-2023-38709 https://t.co/wxO2nxclqJ

    @akaclandestine

    14 Dec 2024

    2095 Impressions

    16 Retweets

    48 Likes

    27 Bookmarks

    0 Replies

    0 Quotes

Configurations