Main Vulnerability Database SB2024080521

SB2024080521 - Fedora 39 update for httpd

Published: August 5, 2024 Updated: December 19, 2024

Security Bulletin ID SB2024080521

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2024-38474)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in mod_rewrite when parsing encoded question marks in backreferences. A remote attacker can execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.

2) Information disclosure (CVE-ID: CVE-2024-40725)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error when processing legacy content-type based configuration of handlers, such as "AddType" and similar configuration when files are requested indirectly. A remote attacker can send a specially crafted HTTP request and view contents of files, for example the source code of a PHP script can be served instead of interpreted.

Note, the vulnerability exists due to incomplete fix for #VU93729 (CVE-2024-39884).

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2024-e83af0855e