Login Sign Up

CVE-2024-38473

8.1 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Apache HTTP Server's mod_proxy module allows attackers to send specially crafted requests with incorrect URL encoding to backend services. This can potentially bypass authentication mechanisms on those backends. It affects Apache HTTP Server versions 2.4.59 and earlier when mod_proxy is enabled.

💻 Affected Systems

Products:
  • Apache HTTP Server
Versions: 2.4.59 and earlier
Operating Systems: All operating systems running affected Apache versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when mod_proxy is enabled and configured to proxy requests to backend services.

📦 What is this software?

Http Server by Apache

View all CVEs affecting Http Server →

Ontap by Netapp

View all CVEs affecting Ontap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers bypass authentication on backend applications, gaining unauthorized access to sensitive data or administrative functions.

🟠

Likely Case

Authentication bypass on specific backend services that rely on URL-based access controls, potentially exposing internal applications.

🟢

If Mitigated

Limited impact if backend services have additional authentication layers or don't rely solely on URL-based access controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires knowledge of backend service authentication mechanisms and ability to craft specific URL encoding patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.60

Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html

Restart Required: Yes

Instructions:

1. Download Apache HTTP Server 2.4.60 from official Apache website. 2. Stop Apache service. 3. Backup current configuration. 4. Install new version. 5. Restore configuration. 6. Start Apache service.

🔧 Temporary Workarounds

Disable mod_proxy

all

Remove or comment out mod_proxy module loading if not required

# In httpd.conf: Comment out 'LoadModule proxy_module modules/mod_proxy.so' and related proxy modules

Restrict proxy destinations

all

Limit proxy configurations to trusted backend services only

# In proxy configuration: Use explicit ProxyPass directives with specific paths

🧯 If You Can't Patch

  • Implement WAF rules to detect and block malformed URL encoding patterns
  • Add additional authentication layers on backend services that don't rely solely on URL-based controls

🔍 How to Verify

Check if Vulnerable:

Check Apache version and mod_proxy configuration: 'httpd -v' and verify mod_proxy is loaded in configuration files

Check Version:

httpd -v

Verify Fix Applied:

Verify Apache version is 2.4.60 or later: 'httpd -v' should show version 2.4.60+

📡 Detection & Monitoring

Log Indicators:

  • Unusual URL encoding patterns in access logs
  • Failed authentication attempts followed by successful access to protected resources

Network Indicators:

  • HTTP requests with malformed URL encoding sent to proxy endpoints

SIEM Query:

source="apache_access" AND (url CONTAINS "%" OR url MATCHES "%[^0-9A-Fa-f]%")

📊 Metadata

CVE ID: CVE-2024-38473
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-116
Published: July 1, 2024
Last Updated: July 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38473, you might also want to check these:

CVE-2025-55729 10.0

CVE-2025-55729 is a critical remote code execution vulnerability in XWiki Remote Macros that allows ...

Same vulnerability type (CWE-116)
CVE-2022-23603 9.9

CVE-2022-23603 is a code injection vulnerability in iTunesRPC-Remastered, a Discord rich presence ap...

Same vulnerability type (CWE-116)
CVE-2024-38474 9.8

A substitution encoding vulnerability in Apache HTTP Server's mod_rewrite module allows attackers to...

Same vulnerability type (CWE-116)