Apache Web Server - Information Disclosure (CVE-2024-38475)
236Exploiting IPs reported
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
CrowdSec analysis
CVE-2024-38475 is a high-severity vulnerability in Apache HTTP Server’s mod_rewrite module, stemming from improper output escaping. This flaw allows an attacker to craft URLs that bypass expected access controls, potentially mapping to unintended filesystem locations. Exploitation can lead to remote code execution or inadvertent source code disclosure.
CrowdSec has been tracking this vulnerability and its exploits since 22nd of August 2024.
Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2024-38475 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2024-38475 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2024-38475 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.
Observed exploitation attempts are associated with crafted URL rewriting that manipulates server context, specifically targeting rewrite rules likely to expose restricted resources.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.