Overview
Apache HTTP Server versions 2.4.59 and earlier contain a critical URL mapping vulnerability in mod_rewrite caused by improper escaping of special characters. This flaw allows attackers who can control URL input to map URLs to unintended filesystem locations, potentially enabling arbitrary code execution or disclosure of sensitive source code. The vulnerability affects the core URL rewriting mechanism and can bypass intended access controls. The vulnerability was disclosed on July 1, 2024. CISA has identified CVE-2024-38475 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Apache HTTP Server's mod_rewrite module improperly escapes certain characters when processing URL rewrite rules. This allows attackers to craft malicious URLs that bypass the intended path restrictions and map to arbitrary filesystem locations. The vulnerability stems from insufficient sanitization of user-controlled input in the rewrite engine, which fails to properly neutralize special characters that have meaning in filesystem paths or rewrite directives. An attacker can exploit this to access files outside the intended document root, potentially including application source code, configuration files with credentials, or executable scripts.
The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) , CWE-116 (Improper Encoding or Escaping of Output) andCWE-644 (Improper Restriction of Rendered UI Layers or Frames) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation can lead to: (1) Remote Code Execution - if the attacker maps URLs to executable scripts or can access interpreted files; (2) Source Code Disclosure - accessing .php, .py, .js source files outside intended document root; (3) Configuration File Access - reading database credentials, API keys, and other sensitive configurations; (4) System File Access - potential access to /etc/passwd, /etc/shadow, or other critical system files depending on web server privileges; (5) Bypass of Access Controls - circumventing authentication and authorization mechanisms. The scope change from Unchanged to Changed indicates the vulnerability can affect resources beyond the vulnerable component, potentially compromising the entire system.
Mitigation and workarounds
Update Apache HTTP Server to version 2.4.60 or later. For systems using package managers: (1) AlmaLinux/Rocky/RHEL: `dnf update httpd` or `yum update httpd` and restart httpd; (2) Debian/Ubuntu: `apt update && apt upgrade apache2` and restart apache2; (3) Alpine: `apk upgrade apache2` and restart apache2; (4) Manual build: Download and compile httpd 2.4.60+ from https://httpd.apache.org/download.cgi. After updating, verify the version with `httpd -v` and restart the web server. The following versions include the necessary fixes: Apache HTTP Server 2.4.60 and later.
As temporary workarounds: disable mod_rewrite if not required by the application. remove or comment out `loadmodule rewrite_module modules/mod_rewrite.so` in httpd.conf and restart the server.; implement strict input validation and filtering at the application level. use web application firewall (waf) rules to block requests containing path traversal sequences (../, .\, etc.) and special characters that could be used to exploit the vulnerability.; restrict filesystem permissions. ensure the apache process runs with minimal privileges and the document root is properly isolated. use chroot jails or containerization to limit filesystem access., and review and simplify mod_rewrite rules. audit all rewriterules and rewriteconds to ensure they properly validate and escape all user-controlled input. remove unnecessary or overly broad rules..
CISA's recommendation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
