CVE-2024-38476 — Apache HTTP Server may use exploitable/malicious backend application output to r

Description

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

How to fix CVE-2024-38476

To remediate CVE-2024-38476, upgrade the affected package to a fixed version below.

—upgrade to 2.4.60-r0 or later
—upgrade to 2.4.60 or later
—upgrade to 2.4.61-1~deb11u1 or later

Is CVE-2024-38476 being exploited?

Low — EPSS is 4.7%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.4.60-r0
>= 2.4.0, < 2.4.60
from 0, < 2.4.61-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-38476
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-38476
WEBseclists.org/fulldisclosure/2024/Oct/11
WEBhttpd.apache.org/security/vulnerabilities_24.html
WEB