SB2024072114 - openEuler update for httpd
Published: July 21, 2024 Updated: May 1, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2024-38475)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input in mod_rewrite when first segment of substitution matches filesystem path. A remote attacker can map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL and view contents of files or execute arbitrary code.
2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-39573)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in mod_rewrite proxy handler substitution. A remote attacker can cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy.
3) Denial of service (CVE-ID: CVE-2016-6431)
The vulneability allows a remote unauthenticated user to cause DoS conditions on the target system.The weakness is due to insufficient input validation. By sending a specially crafted enrollment request to the target system via HTTPS, attackers can trigger flaw in the Certificate Authority (CA) enrollment feature that leads to the system reload.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Remediation
Install update from vendor's website.