Request a Demo
Rewterz
Juniper Networks Issues Critical Security Update for Routers
July 2, 2024
Rewterz
CVE-2024-37137 – Dell CloudLink Vulnerability
July 2, 2024

Multiple Apache HTTP Server Vulnerabilities

Severity

High

Analysis Summary

CVE-2024-36387 CVSS:7.5

Apache HTTP Server s vulnerable to a denial of service, caused by a NULL Pointer dereference flaw when serving WebSocket protocol upgrades over a HTTP/2 connection. By sending a specially crafted request, a remote attacker could exploit this vulnerability to crash the server process and degrade performance.

CVE-2024-38472 CVSS:9.1

Apache HTTP Server is vulnerable to server-side request forgery, caused by improper validation of WIndows UNC. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.

CVE-2024-38473 CVSS:7.5

Apache HTTP Server could allow a remote attacker to bypass security restrictions, caused by an encoding flaw in mod_proxy. By sending specially crafted requests, an attacker could exploit this vulnerability to bypass authentication validation.

CVE-2024-38474 CVSS:7.3

Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by a substitution encoding issue in mod_rewrite. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in directories permitted by the configuration.

CVE-2024-38475 CVSS:9.8

Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by improper escaping of output in mod_rewrite. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code or source code disclosure.

CVE-2024-38476 CVSS:9.4

Apache HTTP Server allow a remote attacker to obtain sensitive information, caused by improper input validation by the backend applications response headers. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, perform server-side request forgery attack or local script execution.

CVE-2024-38477 CVSS:7.5

Apache HTTP Server is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in mod_proxy. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.

CVE-2024-39573 CVSS:7.5

Apache HTTP Server is vulnerable to server-side request forgery, caused by a flaw in the mod_rewrite. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.

Impact

  • Denial of Service
  • Gain Access
  • Code Execution
  • Security Bypass
  • Information Disclosure

Indicators of Compromise

CVE

  • CVE-2024-36387
  • CVE-2024-38472
  • CVE-2024-38473
  • CVE-2024-38474
  • CVE-2024-38475
  • CVE-2024-38476
  • CVE-2024-38477
  • CVE-2024-39573

Affected Vendors

Apache

Affected Products

  • Apache HTTP Server 2.4.0
  • Apache HTTP Server 2.4.59

Remediation

Upgrade to the latest version of Apache HTTP Server, available from the Apache Website.

Apache Website