CVE-2024-43204: Apache HTTP Server: SSRF with mod_headers setting Content-Type header

[Eric Covener <covener () apache org>]

Severity: low 

Affected versions:

- Apache HTTP Server 2.4.0 through 2.4.63

Description:

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled 
by the attacker.  Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request 
or response header with a value provided in the HTTP request.

Users are recommended to upgrade to version 2.4.64 which fixes this issue.

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-43204

Timeline:

2024-08-07: reported
2025-07-07: 2.4.x revision