CrowdSec
6/10CrowdSec Score

Apache Web Server - Information Disclosure (CVE-2024-38475)

Published on01-07-2024
First seen on24-11-2024
CVSS 9.1/10Apache Software Foundation - HTTP Server

96Exploiting IPs reported

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

CrowdSec analysis

CVE-2024-38475 is a high-severity vulnerability in Apache HTTP Server’s mod_rewrite module, stemming from improper output escaping. This flaw allows an attacker to craft URLs that bypass expected access controls, potentially mapping to unintended filesystem locations. Exploitation can lead to remote code execution or inadvertent source code disclosure.

CrowdSec has been tracking this vulnerability and its exploits since 22nd of August 2024.

CrowdSec network observations suggest that most exploitation of CVE-2024-38475 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. In addition, according to the CrowdSec network, attack volume against CVE-2024-38475 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Observed exploitation attempts are associated with crafted URL rewriting that manipulates server context, specifically targeting rewrite rules likely to expose restricted resources.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.

References