{"id":"CVE-2024-38475","details":"Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. \n\nSubstitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag \"UnsafePrefixStat\" can be used to opt back in once ensuring the substitution is appropriately constrained.","aliases":["BIT-apache-2024-38475"],"modified":"2026-04-16T04:36:18.629987296Z","published":"2024-07-01T19:15:04.883Z","related":["ALSA-2024:4720","ALSA-2024:4726","SUSE-SU-2024:2436-1","SUSE-SU-2024:2591-1","SUSE-SU-2024:2597-1","SUSE-SU-2024:2624-1","openSUSE-SU-2024:14116-1"],"references":[{"type":"ADVISORY","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018"},{"type":"ADVISORY","url":"https://www.blackhat.com/us-24/briefings/schedule/index.html#confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-pre-recorded-40227"},{"type":"ADVISORY","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38475"},{"type":"ADVISORY","url":"https://httpd.apache.org/security/vulnerabilities_24.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240712-0001/"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2024/07/01/8"},{"type":"FIX","url":"https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/httpd","events":[{"introduced":"da5873e80d6eee7a0838793bf68f1d0254745fbb"},{"fixed":"15e7241fa52e86096ee061e1b7fca0cd8d6f53ee"},{"fixed":"9a6157d1e2f7ab15963020381054b48782bc18cf"}],"database_specific":{"versions":[{"introduced":"2.4.0"},{"fixed":"2.4.60"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38475.json","vanir_signatures_modified":"2026-04-12T10:54:00Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"10.2.1.14-75sv"}]},{"events":[{"introduced":"0"},{"fixed":"10.2.1.14-75sv"}]},{"events":[{"introduced":"0"},{"fixed":"10.2.1.14-75sv"}]},{"events":[{"introduced":"0"},{"fixed":"10.2.1.14-75sv"}]},{"events":[{"introduced":"0"},{"fixed":"10.2.1.14-75sv"}]}],"vanir_signatures":[{"source":"https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf","signature_type":"Function","deprecated":false,"signature_version":"v1","id":"CVE-2024-38475-1652a3e7","digest":{"length":4490,"function_hash":"329410896395352933459831664613583229362"},"target":{"function":"apply_rewrite_rule","file":"modules/mappers/mod_rewrite.c"}},{"digest":{"length":2756,"function_hash":"320500891851585845606909327191677408985"},"source":"https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf","deprecated":false,"signature_version":"v1","id":"CVE-2024-38475-2bcb97fd","signature_type":"Function","target":{"function":"apply_rewrite_list","file":"modules/mappers/mod_rewrite.c"}},{"digest":{"function_hash":"65318892989921758207495324094933727406","length":718},"signature_type":"Function","deprecated":false,"signature_version":"v1","id":"CVE-2024-38475-2f926f10","source":"https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf","target":{"function":"prefix_stat","file":"modules/mappers/mod_rewrite.c"}},{"source":"https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf","signature_type":"Line","deprecated":false,"signature_version":"v1","id":"CVE-2024-38475-65e681b8","digest":{"threshold":0.9,"line_hashes":["202086479493310121032538961459439885757","58894836514094647113024331222784170078","329077232432172807544131099844128315767","154821257176690317217391034430281880915","62544783868119878418438886370652316945","276170243926874994184442082540137371111","113148534754868684741154203128872360887","272100735403361989298344445004647452895","3801526222766413324966050149930358199","177884113068834578942697109622049332336","312503007117064120309219985131299569875","37235681922018484022826313020607416009","284531365319165014459348049656763328177","11526915861048331948992309700118793723","267868390585593816517915983992887850017","316640517145677391225316056729896485937","45217035488790743006944682471194670441","246260056758550332981399783325149370436","285110639281266854884318717099902951470","214443040754532220015779554246693207015","304842378204146098382649061964310214830","97024778387015404050258718564893307452","267117734820147408642300077819563874104","73292184583858486280372754150174098387","207468897473180992131176990665537098774","292750830595119534884242495446970407311","75689281603696167230968304231090594723","310720727494196633591846142001541261712","196079847792087105965625929407123877350","117412852780802245532193673188613580811","281906901316479584913429074089142884817","34605178222118688031298121978654139017","66842801806439890960033289525167362145","221401481175288807194014039519043881029","85473890119466119939818741385470702868","204892877282662997527790428460607120316","128048893597964933602001837524261817226","87903046665730789059624946175083630827","287714627651422178815203464127972087655","15624748602483652518462410023590325996","263056592206308175495754858649798411080","195375821796157260223976918042040060051","112781051421162316309107702972140558615","145854369943477664809207222130889276756","244151652853558893830500734828552185610","180506947419246768526120909795115542168","314510602938530557093703360741545987848","14092414422471552412311769568453078056","147712747338088360099731741636244043670","117280451024846028320899514245560702902","312344893608069742290014832773225255660","294562698926919878873626492934072718587","165768888912747673572736168078697595373","124201519229420791304332827781961861525","187257206774483365926190609757812755096","336225816648057384478323450110277180356","248910526787141596590091956314174299162","282612901651928681426722876825882199921","86704053180828907705537212319859713494","175756352702789446982339729371946920718","20865153043165562136167875239384697439","63360031864967940743821362924211039198","230001855502876564552687386760365467912","291007144957220533403068084810233823950","208731111261205935070832531811048250029","7451769926316219599930833519042476519","279834528954978845511066327565123057769","118200390284839839859284445966319801989","283691270003425244125250067854159469027","174116014431656697882070183826126967433","257900994117026436711420662791018981594","319710609023769620839187058563206396128","165788434658952802497421175384124904949","59110967857048510259095367232279402944","249695791749023667040307034211727530326","30419953907188408410197147653746040008","75554817766349886304609269105298717912","57182880295289325903772966070015359747","50888827680728672113209725516498201300","317486343809644947077194197030802253653","126617103068445006843189470445909651920","68960774741719252237895797265209378445","9554452540616322761149800866454554781","314110378036026697268990882730974073181","111153134726640460620188669027691291919","112111819024536764856983281437112891452","250457213071530738192992521167632313678","225612605908386104561276085426645749160","276207722139571363156119888015260636842","201556055088296887279145181185496589445","232461664868193285792006414400558011409","144968888665312165596961539231365981477","324842831437109524289162287251519450898","269489381746996620874541485706974152699","326644015187222573623180726820773999927","272919623540756129478666873991044659326","291702061068546358450589822197788537056","256783914155362543982159918869322662046","304571553946108307156838672455833524891","12903731669932491887159251093434081835","46215853247590785980449826528912884051","260855136197815314190752095768020901582","22390222055642062314554264751149619861","93274728876805583721968701755384491473","21276981720781655049026510310078494982","181852243344663258610871535338844555543","289624396074508760092356204974631549249","11282922432231575447807654814319018885","285817398881528713232137054264452501830","49282100278368925842532852734216585111","144968888665312165596961539231365981477","229722053871362465224846588231214403263","25924895485315406605202651130421817000","75917131521180778359308327128043036693"]},"target":{"file":"modules/mappers/mod_rewrite.c"}},{"signature_type":"Function","digest":{"length":7049,"function_hash":"284240994557589285928391504033549548052"},"deprecated":false,"signature_version":"v1","id":"CVE-2024-38475-cece62f3","source":"https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf","target":{"function":"hook_uri2file","file":"modules/mappers/mod_rewrite.c"}},{"source":"https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf","signature_type":"Function","deprecated":false,"signature_version":"v1","id":"CVE-2024-38475-d6fa54dc","digest":{"length":1869,"function_hash":"141911386524427811854533429424138020680"},"target":{"function":"cmd_rewriteoptions","file":"modules/mappers/mod_rewrite.c"}},{"source":"https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf","signature_type":"Function","deprecated":false,"signature_version":"v1","id":"CVE-2024-38475-d89f3b0b","digest":{"length":5244,"function_hash":"223280014341234126867534167823714065949"},"target":{"function":"cmd_rewriterule_setflag","file":"modules/mappers/mod_rewrite.c"}},{"digest":{"length":6935,"function_hash":"151572592537426846915415831172553398135"},"signature_type":"Function","deprecated":false,"signature_version":"v1","id":"CVE-2024-38475-e19c91a2","source":"https://github.com/apache/httpd/commit/9a6157d1e2f7ab15963020381054b48782bc18cf","target":{"function":"hook_fixup","file":"modules/mappers/mod_rewrite.c"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}