CVERadar
Edition used by more than 30,000 companies in more than 150 countries.
Sign Up For FreeCVE-2024-38475
Critical Severity|Apache
84
SVRS
9.1
CVSSv3
0.99957
EPSS
TAGS
In The WildExploit AvaliableCISA KEVExploit Available
VECTOR STRING
CVSS:3.1AV:NAC:LPR:NUI:NS:UC:HI:HA:N
PUBLICATION DATE2024-07-01
LAST MODIFIED2025-11-03
Deep CVE Analysis in Progress
The system is currently conducting an in-depth analysis of the selected CVE. This includes advanced correlation, vulnerability classification, and cross-referencing with real-time threat intelligence sources. Once the analysis is complete, the page will automatically update with enriched vulnerability data and actionable insights.
Security Intelligence Brief
1. What is this vulnerability and why does it matter?
This vulnerability, CVE-2024-38475, is an improper escaping of output issue within the `mod_rewrite` module of the Apache HTTP Server. It allows an attacker to manipulate URLs to access filesystem locations that are not intended to be directly reachable via URLs, but are permitted to be served by the server. This is critical because it can lead to remote code execution or the disclosure of sensitive source code. The vulnerability specifically affects substitutions in the server context that use backreferences or variables as the first segment of the substitution.
2. What are the CVSS score, severity level, and disclosure details?
The CVSS score for this vulnerability is 9.1, which designates it as a Critical severity level. The vulnerability was published on July 1, 2024, at 18:15:12 UTC, and was last modified on November 3, 2025, at 21:55:40 UTC.
3. Which products, vendors, systems, and versions are affected?
The affected product is the Apache HTTP Server, specifically versions 2.4.59 and earlier. The vendor is the Apache Foundation.
4. What is the technical root cause and attack vector?
The technical root cause is an improper escaping of output within the `mod_rewrite` module. This flaw occurs when substitutions in the server context utilize backreferences or variables as the initial segment of the substitution. The attack vector involves an attacker crafting specific URLs that exploit this improper escaping to map to unintended filesystem locations.
5. How can this vulnerability be exploited?
An attacker can exploit this vulnerability by crafting malicious URLs that, due to the improper output escaping in `mod_rewrite`, are incorrectly mapped to sensitive filesystem locations on the server. By successfully manipulating these URLs, an attacker can either achieve remote code execution on the server or force the disclosure of sensitive source code. The exploit specifically targets configurations where `RewiteRules` use backreferences or variables as the first segment of a substitution within the server context.
6. What mitigation steps and patches are available?
The primary mitigation is to upgrade the Apache HTTP Server to a version beyond 2.4.59 (e.g., 2.4.60 or later) that addresses this improper escaping. The patch will likely modify how `mod_rewrite` handles substitutions, potentially breaking some existing unsafe `RewriteRules`. For those specific rules, the `UnsafePrefixStat` rewrite flag can be used to opt back into the previous behavior, but only after ensuring the substitution is appropriately constrained and safe.
7. How can vulnerable systems be detected?
Vulnerable systems can be detected by checking the version of the Apache HTTP Server installed. Any installation running Apache HTTP Server version 2.4.59 or earlier is vulnerable. Administrators should also review their `mod_rewrite` configurations for `RewriteRules` that use backreferences or variables as the first segment of a substitution in a server context, as these are the specific patterns exploited by this vulnerability.
10. What public intelligence references and advisories exist?
The primary public intelligence reference is the CVE identifier: CVE-2024-38475. This CVE was published on July 1, 2024. Additionally, information indicates that active exploits have been published, suggesting the vulnerability is publicly known and actively targeted.
11. What is the risk assessment and urgency level?
The risk assessment for CVE-2024-38475 is Critical, as indicated by its CVSS score of 9.1. The potential impacts include remote code execution and sensitive source code disclosure, both of which are high-severity outcomes. The urgency level is extremely high, as active exploits have been published, meaning attackers are likely attempting to leverage this vulnerability. Immediate patching and mitigation efforts are strongly recommended to protect affected systems.
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNTCVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs
CVE Radar
Real-time CVE Intelligence & Vulnerability Management Platform
CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.