- 193/2024
- Critical
Apache has released a security update to address several vulnerabilities across Apache HTTP Server 2.4.58 and earlier.
The addressed vulnerabilities could allow the attacker to perform denial of service attacks, bypass security restrictions, obtain sensitive information, execute arbitrary code, and gain access to the affected system by sending a specially crafted request.
Sample of the addressed vulnerabilities:
1. Apache HTTP Server Code Execution Vulnerability (CVE-2024-38475):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Apache HTTP Server Information Disclosure Vulnerability (CVE-2024-38476):
- CVSS: 9.4
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Obtain Information
3. Apache HTTP Server Security Bypass Vulnerability (CVE-2024-38473):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
Vulnerabilities
• CVE-2024-38472
• CVE-2024-38473
• CVE-2024-38474
• CVE-2024-38475
• CVE-2024-38476
• CVE-2024-38477
• CVE-2024-39573
• CVE-2024-36387
Mitigations
The enterprise should deploy the patches as soon as the testing phase is completed.