CVE-2024-38474 – A substitution encoding vulnerability in Apache... (How to Fix)

Q: What is the severity of CVE-2024-38474?

CVE-2024-38474 has a CVSS score of 9.8 (CRITICAL). A substitution encoding vulnerability in Apache HTTP Server's mod_rewrite module allows attackers to bypass security restrictions and execute scripts in directories that should be protected. This affects Apache HTTP Server versions 2.4.59 and earlier. Attackers can potentially execute arbitrary code or access sensitive files that should only be accessible via CGI execution.

📋 TL;DR

A substitution encoding vulnerability in Apache HTTP Server's mod_rewrite module allows attackers to bypass security restrictions and execute scripts in directories that should be protected. This affects Apache HTTP Server versions 2.4.59 and earlier. Attackers can potentially execute arbitrary code or access sensitive files that should only be accessible via CGI execution.

💻 Affected Systems

Products:

Apache HTTP Server

Versions: 2.4.59 and earlier

Operating Systems: All operating systems running affected Apache versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using specific RewriteRule configurations that capture and substitute unsafely. The vulnerability requires mod_rewrite to be enabled and configured with problematic rules.

📦 What is this software?

Clustered Data Ontap by Netapp

View all CVEs affecting Clustered Data Ontap →

Http Server by Apache

View all CVEs affecting Http Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized script execution leading to information disclosure, privilege escalation, or limited code execution within web server context.

🟢

If Mitigated

Limited impact due to proper input validation, minimal mod_rewrite usage, and restricted directory permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specific mod_rewrite configurations and understanding of substitution encoding issues. No public exploit code has been identified at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.60

Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html

Restart Required: Yes

Instructions:

1. Download Apache HTTP Server 2.4.60 from official Apache mirrors. 2. Stop the Apache service. 3. Backup current configuration files. 4. Install the new version following platform-specific installation procedures. 5. Restore configuration files. 6. Start the Apache service. 7. Test functionality.

🔧 Temporary Workarounds

Disable problematic RewriteRules

all

Identify and disable or modify RewriteRules that capture and substitute unsafely. Add the 'UnsafeAllow3F' flag to rules that require unsafe substitution.

# Review .htaccess and httpd.conf files for RewriteRule directives
# Add [UnsafeAllow3F] flag to rules requiring unsafe substitution
# Example: RewriteRule ^pattern$ substitution [UnsafeAllow3F]

Restrict mod_rewrite usage

all

Disable mod_rewrite module if not required for critical functionality.

# Comment out or remove LoadModule rewrite_module modules/mod_rewrite.so in httpd.conf
# Restart Apache after changes

🧯 If You Can't Patch

Implement strict input validation and sanitization for all mod_rewrite substitutions
Apply network segmentation and restrict Apache server access to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check Apache version with 'httpd -v' or 'apache2 -v' and verify if it's 2.4.59 or earlier. Review mod_rewrite configuration for unsafe substitution patterns.

Check Version:

httpd -v  # or apache2 -v depending on installation

Verify Fix Applied:

Verify Apache version is 2.4.60 or later. Test previously vulnerable RewriteRules to ensure they either work correctly with UnsafeAllow3F flag or fail safely.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to protected directories
Failed CGI execution attempts
mod_rewrite rule processing errors
Access to scripts outside expected URL paths

Network Indicators:

HTTP requests with unusual encoding patterns
Requests attempting to bypass directory restrictions
Unexpected script execution patterns

SIEM Query:

source="apache_access" AND (uri="/cgi-bin/*" OR uri="*.cgi" OR uri="*.pl") AND status=200 | stats count by src_ip, uri

📊 Metadata

CVE ID: CVE-2024-38474

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-116

Published: July 1, 2024

Last Updated: March 25, 2025

🔗 References

https://httpd.apache.org/security/vulnerabilities_24.html Vendor Advisory
https://security.netapp.com/advisory/ntap-20240712-0001/ Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/07/01/7
https://httpd.apache.org/security/vulnerabilities_24.html Vendor Advisory
https://security.netapp.com/advisory/ntap-20240712-0001/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38474, you might also want to check these: