CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
Security Advisory Description
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue. (CVE-2024-38477)
Impact
Attackers can exploit this vulnerability by crafting HTTP requests with deliberately incorrect URL encoding, potentially bypassing security controls that rely on proper URL parsing and authentication. This could result in security breaches, data exposure, or disruptions in service. There is no data plane exposure; this is a control plane issue only.
Vendor | Product | Version | CPE |
---|---|---|---|
f5 | big-ip_next_central_manager | 20.2.0 | cpe:2.3:a:f5:big-ip_next_central_manager:20.2.0:*:*:*:*:*:*:* |
f5 | big-ip_next_central_manager | 20.2.1 | cpe:2.3:a:f5:big-ip_next_central_manager:20.2.1:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.1.0 | cpe:2.3:a:f5:big-ip_next:1.1.0:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.1.1 | cpe:2.3:a:f5:big-ip_next:1.1.1:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.2.0 | cpe:2.3:a:f5:big-ip_next:1.2.0:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.2.1 | cpe:2.3:a:f5:big-ip_next:1.2.1:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.3.0 | cpe:2.3:a:f5:big-ip_next:1.3.0:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.3.1 | cpe:2.3:a:f5:big-ip_next:1.3.1:*:*:*:*:*:*:* |
f5 | big-ip_dns | 1.1.0 | cpe:2.3:a:f5:big-ip_dns:1.1.0:*:*:*:*:*:*:* |
f5 | big-ip_dns | 1.1.1 | cpe:2.3:a:f5:big-ip_dns:1.1.1:*:*:*:*:*:*:* |