CVE-2024-38473

NameCVE-2024-38473
DescriptionEncoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5729-1, ELA-1234-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)jessie, jessie (lts)2.4.10-10+deb8u29vulnerable
stretch (security)2.4.25-3+deb9u13vulnerable
stretch (lts), stretch2.4.25-3+deb9u19vulnerable
buster, buster (lts)2.4.59-1~deb10u4fixed
buster (security)2.4.59-1~deb10u1vulnerable
bullseye2.4.62-1~deb11u1fixed
bullseye (security)2.4.62-1~deb11u2fixed
bookworm (security), bookworm2.4.62-1~deb12u2fixed
sid, trixie2.4.62-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2sourcebuster2.4.59-1~deb10u4ELA-1234-1
apache2sourcebullseye2.4.61-1~deb11u1DSA-5729-1
apache2sourcebookworm2.4.61-1~deb12u1DSA-5729-1
apache2source(unstable)2.4.60-1

Notes

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38473
https://github.com/apache/httpd/pull/457
https://github.com/apache/httpd/pull/458
Fixed by [1/4] https://github.com/apache/httpd/commit/b10cb2d69184843832d501a615abe3e8e5e256dc
Fixed by [2/4] https://github.com/apache/httpd/commit/6b8e043ce4f27114e6ae1b8176b629b7cb3fbbce
Fixed by [3/4] https://github.com/apache/httpd/commit/cc00cf6b4e37370897daddc307bf1deecf8fedfa
Fixed by [4/4] https://github.com/apache/httpd/commit/4326d6b9041a3bcb9b529f9163d0761c2d760700
Regression [1/2] bug apache: https://bz.apache.org/bugzilla/show_bug.cgi?id=69160
Regression [1/2] related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2073515
Regression [1/2] tracked at debian bug: https://bugs.debian.org/1076554
Regression [1/2] Fix: https://github.com/apache/httpd/commit/2f2f82a2225c5c3b6bb2fa4056541682e34763d4
Regression [2/2] bug apache: https://bz.apache.org/bugzilla/show_bug.cgi?id=69203
Regression [2/2] tracked at https://bugs.debian.org/1079171

Search for package or bug name: Reporting problems