← back
CVE-2024-38475

Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path.

CVSS 9.1 CRITICALEPSS 100.0%● KEVCWE-116
In short

Apache HTTP Server's mod_rewrite module incorrectly handles URL rewriting when the first part of a rewrite rule uses backreferences or variables, allowing attackers to access files on the server that shouldn't be publicly reachable. This can lead to running malicious code or exposing sensitive source code.

Technical detail

A flaw in mod_rewrite's output escaping (CWE-116) in Apache HTTP Server 2.4.59 and earlier allows path traversal when substitution rules begin with backreferences or variables in server context. An attacker can craft requests matching the rewrite pattern to bypass intended access restrictions and reach arbitrary filesystem locations served by the web server, enabling remote code execution or information disclosure.

Summary generated and translated by AI from the official description.
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
Apache Software Foundation · Apache HTTP Server
public PoCs found5
githubgithub.com/p0in7s/CVE-2024-3847516githubgithub.com/soltanali0/CVE-2024-384754githubgithub.com/abrewer251/CVE-2024-38475_SonicBoom_Apache_URL_Traversal_PoC0githubgithub.com/syaifulandy/CVE-2024-384750githubgithub.com/Nyakki-Labs-0x420/Myesve0
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cfhttps://httpd.apache.org/security/vulnerabilities_24.htmlhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018https://security.netapp.com/advisory/ntap-20240712-0001/https://www.blackhat.com/us-24/briefings/schedule/index.html#confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-pre-recorded-40227https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38475http://www.openwall.com/lists/oss-security/2024/07/01/8