CVE-2024-38473 — Apache HTTP Server proxy encoding problem

Description

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

How to fix CVE-2024-38473

To remediate CVE-2024-38473, upgrade the affected package to a fixed version below.

—upgrade to 2.4.60-r0 or later
—upgrade to 2.4.60 or later
—upgrade to 2.4.61-1~deb11u1 or later

Is CVE-2024-38473 being exploited?

Likely — EPSS is 88.4%, placing CVE-2024-38473 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

from 0, < 2.4.60-r0
>= 2.4.0, < 2.4.60
from 0, < 2.4.61-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

References (6)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-38473
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-38473
WEBhttpd.apache.org/security/vulnerabilities_24.html
WEBnvd.nist.gov/vuln/detail/CVE-2024-38473
WEB