CVE-2024-38472

2024-07-0119:15:04

Debian Security Bug Tracker

security-tracker.debian.org

ssrf

apache http server

windows

ntml hashes

malicious requests

upgrade

unc paths

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.6

Confidence

Low

EPSS

0.001

Percentile

20.2%

JSON

SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive “UNCList” to allow access during request processing.

OSVersionArchitecturePackageVersionFilename
Debian12allapache2< 2.4.62-1~deb12u1apache2_2.4.62-1~deb12u1_all.deb
Debian11allapache2< 2.4.62-1~deb11u1apache2_2.4.62-1~deb11u1_all.deb
Debian999allapache2< 2.4.62-1apache2_2.4.62-1_all.deb
Debian13allapache2< 2.4.62-1apache2_2.4.62-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	apache2	< 2.4.62-1~deb12u1	apache2_2.4.62-1~deb12u1_all.deb
Debian	11	all	apache2	< 2.4.62-1~deb11u1	apache2_2.4.62-1~deb11u1_all.deb
Debian	999	all	apache2	< 2.4.62-1	apache2_2.4.62-1_all.deb
Debian	13	all	apache2	< 2.4.62-1	apache2_2.4.62-1_all.deb