#VU93543 Server-Side Request Forgery (SSRF) in Apache HTTP Server


Published: 2024-07-01

Vulnerability identifier: #VU93543

Vulnerability risk: High

CVSSv3.1: 7.8 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-38476

CWE-ID: CWE-918

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache HTTP Server
Server applications / Web servers

Vendor: Apache Foundation

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker with control over the backend server can run local handlers via internal redirect and gain access to sensitive information or compromise the affected system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache HTTP Server: 2.4 - 2.4.59

External links
http://lists.apache.org/thread/p2xfjsvpogyrg4hw9cjs2nrnqnl34qf0

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


IBM Datapower Operations Dashboard update for Apache HTTP Server
Multiple vulnerabilities in macOS Sequoia
Multiple vulnerabilities in Dell NetWorker And NetWorker Management Console
Multiple vulnerabilities in Dell CyberSense OS
Multiple vulnerabilities in cPanel EasyApache
Multiple vulnerabilities in Oracle Secure Backup
Multiple vulnerabilities in IBM Rational Build Forge
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.17
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.17
Multiple vulnerabilities in IBM Aspera Console