CVE-2024-38473

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://httpd.apache.org/security/vulnerabilities_24.html	Vendor Advisory
https://security.netapp.com/advisory/ntap-20240712-0001/	Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/07/01/6	Mailing List
https://httpd.apache.org/security/vulnerabilities_24.html	Vendor Advisory
https://security.netapp.com/advisory/ntap-20240712-0001/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:netapp:ontap:9:*:*:*:*:*:*:*

History

01 Jul 2025, 20:25

Type	Values Removed	Values Added
CPE		cpe:2.3:a:apache:http_server:::::::: cpe:2.3:a:netapp:ontap:9:::::::*
First Time		Apache Netapp ontap Netapp Apache http Server
References	~~() https://httpd.apache.org/security/vulnerabilities_24.html -~~	() https://httpd.apache.org/security/vulnerabilities_24.html - Vendor Advisory
References	~~() https://security.netapp.com/advisory/ntap-20240712-0001/ -~~	() https://security.netapp.com/advisory/ntap-20240712-0001/ - Third Party Advisory
References	~~() http://www.openwall.com/lists/oss-security/2024/07/01/6 -~~	() http://www.openwall.com/lists/oss-security/2024/07/01/6 - Mailing List

Information

Published : 2024-07-01 19:15

Updated : 2025-07-01 20:25

NVD link : CVE-2024-38473

Mitre link : CVE-2024-38473

CVE.ORG link : CVE-2024-38473

JSON object : View

Products Affected

apache

http_server

netapp

ontap

CWE

CWE-116

Improper Encoding or Escaping of Output

{"id": "CVE-2024-38473", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2024-07-01T19:15:04.657", "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://security.netapp.com/advisory/ntap-20240712-0001/", "tags": ["Third Party Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/01/6", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20240712-0001/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-116"}]}], "descriptions": [{"lang": "en", "value": "Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue."}, {"lang": "es", "value": "El problema de codificaci\u00f3n en mod_proxy en Apache HTTP Server 2.4.59 y versiones anteriores permite que las URL de solicitud con codificaci\u00f3n incorrecta se env\u00eden a servicios backend, lo que potencialmente evita la autenticaci\u00f3n mediante solicitudes manipuladas. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.4.60, que soluciona este problema."}], "lastModified": "2025-07-01T20:25:09.547", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13126636-FD76-4E3E-B949-14A5082DE02A", "versionEndExcluding": "2.4.60", "versionStartIncluding": "2.4.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netapp:ontap:9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A20333EE-4C13-426E-8B54-D78679D5DDB8"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}