SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2024-38475

CVE-2024-38475: Apache HTTP Server Path Traversal Flaw

CVE-2024-38475 is a path traversal vulnerability in Apache HTTP Server affecting mod_rewrite. Attackers can access unintended filesystem locations, leading to code execution or source disclosure. This article covers technical details, affected versions, and mitigation strategies.

Updated:

CVE-2024-38475 Overview

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.

Substitutions in server context that use backreferences or variables as the first segment of the substitution are affected. Some unsafe RewriteRules will be broken by this change and the rewrite flag UnsafePrefixStat can be used to opt back in once ensuring the substitution is appropriately constrained.

Critical Impact

This vulnerability can lead to remote code execution or source code disclosure in affected systems.

Affected Products

  • Apache HTTP Server 2.4.59 and earlier
  • NetApp ONTAP 9
  • SonicWall SMA 200, 210, 400, 410, 500v and their firmware

Discovery Timeline

  • 2024-07-01 - CVE-2024-38475 published to NVD
  • 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2024-38475

Vulnerability Analysis

This vulnerability arises from improper escaping of output in the mod_rewrite module of Apache HTTP Server. It allows attackers to map URLs to unauthorized filesystem locations, leading to potential code execution or source code disclosure.

Root Cause

The root cause is improper handling and escaping of substitution strings, specifically when backreferences or variables are used as the first segment of the substitution.

Attack Vector

The attack vector is a network-based attack where malicious URLs are crafted to exploit the flawed rewriting rules.

apache
# Example exploitation code (sanitized)
RewriteRule "^(.*)$" "/var/www/$1" [L]

Detection Methods for CVE-2024-38475

Indicators of Compromise

  • Unexpected HTTP responses showing filesystem paths
  • Logs indicating access to restricted files through crafted URLs

Detection Strategies

Monitoring for unusual rewrite rule execution and logging patterns in Apache can help identify exploitation attempts. Reviewing access logs for unusual or unauthorized file access patterns is crucial.

Monitoring Recommendations

Implement alerts for any access patterns that expose the server file system or unusual rewrite rule actions. Ensure comprehensive logging is enabled in Apache for all requests.

How to Mitigate CVE-2024-38475

Immediate Actions Required

  • Review and sanitize mod_rewrite rules to avoid exploitation.
  • Disable unsafe RewriteRules and test configurations thoroughly if using UnsafePrefixStat.
  • Update to the latest version of Apache HTTP Server.

Patch Information

Updates are available from Apache. Ensure to apply the latest patches as per official Apache guidance.

Workarounds

To mitigate the risk without immediate patching, sanitize and review all rewrite rules extensively. Utilize the UnsafePrefixStat flag with caution after ensuring rewrite security.

bash
# Configuration example
a2enmod rewrite
# Ensure AllowOverride is disabled in sensitive directories
disable AllowOverride All

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne