| Name | CVE-2024-38473 |
| Description | Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-5729-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| apache2 (PTS) | jessie, jessie (lts) | 2.4.10-10+deb8u28 | vulnerable |
| stretch (security) | 2.4.25-3+deb9u13 | vulnerable | |
| stretch (lts), stretch | 2.4.25-3+deb9u18 | vulnerable | |
| buster, buster (lts) | 2.4.59-1~deb10u2 | vulnerable | |
| buster (security) | 2.4.59-1~deb10u1 | vulnerable | |
| bullseye | 2.4.62-1~deb11u1 | fixed | |
| bullseye (security) | 2.4.61-1~deb11u1 | fixed | |
| bookworm | 2.4.62-1~deb12u1 | fixed | |
| bookworm (security) | 2.4.61-1~deb12u1 | fixed | |
| trixie, sid | 2.4.62-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| apache2 | source | bullseye | 2.4.61-1~deb11u1 | DSA-5729-1 | ||
| apache2 | source | bookworm | 2.4.61-1~deb12u1 | DSA-5729-1 | ||
| apache2 | source | (unstable) | 2.4.60-1 |
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38473
https://github.com/apache/httpd/pull/457
https://github.com/apache/httpd/pull/458
Fixed by [1/4] https://github.com/apache/httpd/commit/b10cb2d69184843832d501a615abe3e8e5e256dc
Fixed by [2/4] https://github.com/apache/httpd/commit/6b8e043ce4f27114e6ae1b8176b629b7cb3fbbce
Fixed by [3/4] https://github.com/apache/httpd/commit/cc00cf6b4e37370897daddc307bf1deecf8fedfa
Fixed by [4/4] https://github.com/apache/httpd/commit/4326d6b9041a3bcb9b529f9163d0761c2d760700
Regression [1/2] bug apache: https://bz.apache.org/bugzilla/show_bug.cgi?id=69160
Regression [1/2] related to https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2073515
Regression [1/2] tracked at debian bug: https://bugs.debian.org/1076554
Regression [1/2] Fix: https://github.com/apache/httpd/commit/2f2f82a2225c5c3b6bb2fa4056541682e34763d4
Regression [2/2] bug apache: https://bz.apache.org/bugzilla/show_bug.cgi?id=69203
Regression [2/2] tracked at https://bugs.debian.org/1079171