CVE-2024-38473

high-risk

Published 2024-07-01

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Do I need to act?

88.3% chance of exploitation in next 30 days

EPSS score — higher than 12% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / LOW complexity

Affected Products (2)

Http Server

Ontap

Affected Vendors

Apache Netapp

References (5)

Vendor Advisory https://httpd.apache.org/security/vulnerabilities_24.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20240712-0001/

Mailing List http://www.openwall.com/lists/oss-security/2024/07/01/6

Vendor Advisory https://httpd.apache.org/security/vulnerabilities_24.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20240712-0001/

/ 100

high-risk

Severity 28/34 · Critical

Exploitability 20/34 · Moderate

Exposure 7/34 · Low