CVE-2024-38474: Apache HTTP Server weakness with encoded question marks in backreferences

[Eric Covener <covener () apache org>]

Severity: important

Affected versions:

- Apache HTTP Server 2.4.0 through 2.4.59

Description:

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts 
in
directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant 
to only to be executed as CGI.

Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

Credit:

Orange Tsai (@orange_8361) from DEVCORE (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-38474

Timeline:

2024-04-01: reported