{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2024-38476","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2024-06-17T11:10:56.470Z","datePublished":"2024-07-01T18:15:40.071Z","dateUpdated":"2025-11-03T21:55:42.872Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache HTTP Server","vendor":"Apache Software Foundation","versions":[{"lessThanOrEqual":"2.4.59","status":"affected","version":"2.4.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Orange Tsai (@orange_8361) from DEVCORE"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">backend applications whose response headers are malicious or exploitable.</span><br><br>Users are recommended to upgrade to version 2.4.60, which fixes this issue."}],"value":"Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.\n\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue."}],"metrics":[{"other":{"content":{"text":"important"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-829","description":"CWE-829 Inclusion of Functionality from Untrusted Control Sphere","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2024-07-12T14:06:14.537Z"},"references":[{"tags":["vendor-advisory"],"url":"https://httpd.apache.org/security/vulnerabilities_24.html"},{"url":"https://security.netapp.com/advisory/ntap-20240712-0001/"}],"source":{"discovery":"UNKNOWN"},"timeline":[{"lang":"en","time":"2024-04-01T12:00:00.000Z","value":"reported"}],"title":"Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"affected":[{"vendor":"apache","product":"http_server","cpes":["cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThanOrEqual":"2.4.59","versionType":"custom"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.8,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-10-29T03:55:12.524796Z","id":"CVE-2024-38476","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-29T16:42:18.129Z"}},{"title":"CVE Program Container","references":[{"tags":["vendor-advisory","x_transferred"],"url":"https://httpd.apache.org/security/vulnerabilities_24.html"},{"url":"https://security.netapp.com/advisory/ntap-20240712-0001/","tags":["x_transferred"]},{"url":"http://www.openwall.com/lists/oss-security/2024/07/01/9"},{"url":"http://seclists.org/fulldisclosure/2024/Oct/11"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T21:55:42.872Z"}}]},"dataVersion":"5.2"}