Wind River Support Network

Meet the Support Network

Home CVE Database CVE-2024-38475

CVE-2024-38475

Description

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag UnsafePrefixStat can be used to opt back in once ensuring the substitution is appropriately constrained.

Priority: --
CVSS v3: 9.1
Component: apache2
Publish Date: Jul 1, 2024
Related ID: --
CVSS v2: CRITICAL
Modified Date: Jul 2, 2024

Find out more about CVE-2024-38475 from the MITRE-CVE dictionary and NIST NVD


Products Affected

Login may be required to access defects or downloads.

Product Name Status Defect Fixed Downloads
Linux
Wind River Linux LTS 17 Requires LTSS -- -- --
Wind River Linux 8 Requires LTSS -- -- --
Wind River Linux 9 Requires LTSS -- -- --
Wind River Linux 7 Requires LTSS -- -- --
Wind River Linux LTS 21 Investigating -- -- --
Wind River Linux LTS 22 Fixed LIN1022-9601
10.22.33.18 --
Wind River Linux LTS 18 Requires LTSS -- -- --
Wind River Linux LTS 19 Fixed LIN1019-13687
10.19.45.32(hotfix) --
Wind River Linux CD release N/A -- -- --
Wind River Linux 6 Requires LTSS -- -- --
Wind River Linux LTS 23 Fixed LIN1023-6903
10.23.30.13 --
Wind River Linux LTS 24 Not Vulnerable LIN1024-2486
-- --
VxWorks
VxWorks 7 Not Vulnerable -- -- --
VxWorks 6.9 (End-of-Life) Not Vulnerable -- -- --
Helix Virtualization Platform Cert Edition
Helix Virtualization Platform Cert Edition Not Vulnerable -- -- --
eLxr
eLxr 12 Fixed -- 2.4.62-1~deb12u2 --
Wind River Studio Cloud Platform

Related Products

Product Name Status Defect Fixed Downloads

Notes
Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online