CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy handler substitution
First published: Mon Jul 01 2024(Updated: )
Apache HTTP Server is vulnerable to server-side request forgery, caused by a flaw in the mod_rewrite. By sending a specially crafted request, an attacker could exploit this vulnerability to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy.
Credit: security@apache.org CVE-2024-39573 CVE-2024-38477 CVE-2024-38476 an anonymous researcher Ivan Fratric Google Project ZeroMickey Jin @patch1t K宝 @Pwnrin Kirin @Pwnrin 7feilee pattern-f @pattern_F_ Loadshine LabHikerell Loadshine LabHossein Lotfi @hosselot Trend Micro Zero Day InitiativeAlexandre Bedard Ronny Stiftel Wang Yu CyberservalJunsung Lee Trend Micro Zero Day InitiativeJex Amro Zhongquan Li @Guluisacat Ye Zhang @VAR10CK Baidu SecurityMateusz Krzywicki @krzywix Garrett Moon Excited Pixel LLCArsenii Kostromin (0x3c3e) Ben Roeder Toomas Römer Jaime Bertran Noah Gregory (wts.dev) Un3xploitable CW Research IncBohdan Stasiuk @Bohdan_Stasiuk CW Research IncPedro Tôrres @t0rr3sp3dr0 Mickey Jin @patch1t KandjiCsaba Fitzl @theevilbit Kandjian anonymous researcher Dawn Security Lab of JDYinyi Wu @_3ndy1 Dawn Security Lab of JDNarendra Bhati Cyber Security at Suma Soft PvtManager Cyber Security at Suma Soft PvtPune (India) Lucas Di Tomase Ryan Dowd @_rdowd Gergely Kalman @gergely_kalman Csaba Fitzl @theevilbit Michael DePlante @izobashi Trend Micro Zero Day InitiativeHalle Winkler Politepix (theoffcuts.org) Bing Shi Alibaba GroupWenchao Li Alibaba GroupXiaolong Bai Alibaba Group Indiana University BloomingtonLuyi Xing Indiana University Bloomingtondw0r! Trend Micro Zero Day InitiativeRodolphe Brunetti @eisw0lf Cristian Dinca (icmd.tech) Wojciech Regula SecuRingQ1IQ @q1iqF P1umer @p1umer Bohdan Stasiuk @Bohdan_Stasiuk
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/apache2 | 2.4.62-1~deb11u1 2.4.61-1~deb11u1 2.4.62-1~deb12u1 2.4.62-1~deb12u2 2.4.62-3 | |
| macOS | <15.1 | 15.1 |
| IBM Planning Analytics Cloud | <=2.1 | |
| IBM Planning Analytics Cloud | <=2.0 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=17.1.0<=17.1.2 | 17.1.5 |
| F5 BIG-IP and BIG-IQ Centralized Management | >=16.1.0<=16.1.5 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=15.1.0<=15.1.10 | |
| F5 F5OS | =1.7.0>=1.5.1<=1.5.2 | |
| F5 F5OS | >=1.6.0<=1.6.2 | |
| F5 Traffix Systems Signaling Delivery Controller | =5.2.0=5.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://security.netapp.com/advisory/ntap-20240712-0001/
- https://launchpad.net/bugs/cve/CVE-2024-39573
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39573
- https://nvd.nist.gov/vuln/detail/CVE-2024-39573
- https://security-tracker.debian.org/tracker/CVE-2024-39573
- https://ubuntu.com/security/CVE-2024-39573
- https://access.redhat.com/errata/RHSA-2024:4720
- https://access.redhat.com/errata/RHSA-2024:4726
- https://access.redhat.com/errata/RHSA-2024:5001
- https://access.redhat.com/errata/RHSA-2024:5240
- https://access.redhat.com/errata/RHSA-2024:5239
- https://bugzilla.redhat.com/show_bug.cgi?id=2295022
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-39573
- https://github.com/apache/httpd/commit/9494aa8d52e3c263bc0413b77ac8a73b0d524388
- https://github.com/apache/httpd/commit/93aec0e3ca451bcc97f6d91c14d5399d13a73365
- https://my.f5.com/manage/s/article/K000140693
- https://www.ibm.com/support/pages/node/7168387 (Advisory)
- https://support.apple.com/en-us/121564 (Advisory)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2024-39573
- CVE-2024-38477
- CVE-2024-38476
- CVE-2024-44255
- CVE-2024-44232
- CVE-2024-44233
- CVE-2024-44234
- CVE-2024-44270
- CVE-2024-44280
- CVE-2024-44260
- CVE-2024-54535
- CVE-2024-44298
- CVE-2024-44273
- CVE-2024-44295
- CVE-2024-44240
- CVE-2024-44302
- CVE-2024-44213
- CVE-2024-44289
- CVE-2024-44282
- CVE-2024-44265
- CVE-2024-40854
- CVE-2024-44215
- CVE-2024-44297
- CVE-2024-44216
- CVE-2024-44287
- CVE-2024-44197
- CVE-2024-44299
- CVE-2024-44241
- CVE-2024-44242
- CVE-2024-44285
- CVE-2024-44239
- CVE-2024-44286
- CVE-2024-40849
- CVE-2024-44201
- CVE-2024-44231
- CVE-2024-44223
- CVE-2024-44222
- CVE-2024-44256
- CVE-2024-54471
- CVE-2024-44292
- CVE-2024-44293
- CVE-2024-44247
- CVE-2024-44267
- CVE-2024-44301
- CVE-2024-44275
- CVE-2024-44303
- CVE-2024-44156
- CVE-2024-44159
- CVE-2024-44253
- CVE-2024-44294
- CVE-2024-44196
- CVE-2024-40858
- CVE-2024-44277
- CVE-2024-44195
- CVE-2024-44259
- CVE-2024-44229
- CVE-2024-44219
- CVE-2024-44211
- CVE-2024-44218
- CVE-2024-44248
- CVE-2024-54538
- CVE-2024-44254
- CVE-2024-44269
- CVE-2024-44236
- CVE-2024-44237
- CVE-2024-44279
- CVE-2024-44281
- CVE-2024-44283
- CVE-2024-44284
- CVE-2024-44194
- CVE-2024-44200
- CVE-2024-44278
- CVE-2024-44264
- CVE-2024-44290
- CVE-2024-44296
- CVE-2024-44212
- CVE-2024-44244
- CVE-2024-44257
- CVE-2024-44250
Frequently Asked Questions
What is the severity of CVE-2024-39573?
CVE-2024-39573 is classified as a high severity vulnerability due to the potential for server-side request forgery.
How do I fix CVE-2024-39573?
To fix CVE-2024-39573, upgrade to the patched versions of Apache HTTP Server or affected products as specified by the vendor.
What products are affected by CVE-2024-39573?
CVE-2024-39573 affects several products, including Apache HTTP Server versions prior to 2.4.62, IBM Planning Analytics, and various versions of F5 BIG-IP.
What is server-side request forgery in the context of CVE-2024-39573?
In CVE-2024-39573, server-side request forgery allows an attacker to make unauthorized requests to internal resources through manipulated RewriteRules.
Can I still use my web applications if they are vulnerable to CVE-2024-39573?
Using web applications vulnerable to CVE-2024-39573 poses significant security risks, and it is highly recommended to apply the necessary updates immediately.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-39573
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/remedy
- collector/nvd-cve
- collector/launchpad-cve
- source/Launchpad
- agent/severity
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- collector/redhat-bugzilla
- source/Red Hat
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/source
- agent/description
- agent/trending
- agent/event
- agent/author
- collector/f5-advisory
- source/F5
- agent/software-canonical-lookup-request
- collector/apple-support
- source/Apple
- alias/CVE-2024-38477
- alias/CVE-2024-38476
- alias/CVE-2024-44255
- alias/CVE-2024-44232
- alias/CVE-2024-44233
- alias/CVE-2024-44234
- alias/CVE-2024-44270
- alias/CVE-2024-44280
- alias/CVE-2024-44260
- alias/CVE-2024-54535
- alias/CVE-2024-44298
- alias/CVE-2024-44273
- alias/CVE-2024-44295
- alias/CVE-2024-44240
- alias/CVE-2024-44302
- alias/CVE-2024-44213
- alias/CVE-2024-44289
- alias/CVE-2024-44282
- alias/CVE-2024-44265
- alias/CVE-2024-40854
- alias/CVE-2024-44215
- alias/CVE-2024-44297
- alias/CVE-2024-44216
- alias/CVE-2024-44287
- alias/CVE-2024-44197
- alias/CVE-2024-44299
- alias/CVE-2024-44241
- alias/CVE-2024-44242
- alias/CVE-2024-44285
- alias/CVE-2024-44239
- alias/CVE-2024-44286
- alias/CVE-2024-40849
- alias/CVE-2024-44201
- alias/CVE-2024-44231
- alias/CVE-2024-44223
- alias/CVE-2024-44222
- alias/CVE-2024-44256
- alias/CVE-2024-54471
- alias/CVE-2024-44292
- alias/CVE-2024-44293
- alias/CVE-2024-44247
- alias/CVE-2024-44267
- alias/CVE-2024-44301
- alias/CVE-2024-44275
- alias/CVE-2024-44303
- alias/CVE-2024-44156
- alias/CVE-2024-44159
- alias/CVE-2024-44253
- alias/CVE-2024-44294
- alias/CVE-2024-44196
- alias/CVE-2024-40858
- alias/CVE-2024-44277
- alias/CVE-2024-44195
- alias/CVE-2024-44259
- alias/CVE-2024-44229
- alias/CVE-2024-44219
- alias/CVE-2024-44211
- alias/CVE-2024-44218
- alias/CVE-2024-44248
- alias/CVE-2024-54538
- alias/CVE-2024-44254
- alias/CVE-2024-44269
- alias/CVE-2024-44236
- alias/CVE-2024-44237
- alias/CVE-2024-44279
- alias/CVE-2024-44281
- alias/CVE-2024-44283
- alias/CVE-2024-44284
- alias/CVE-2024-44194
- alias/CVE-2024-44200
- alias/CVE-2024-44278
- alias/CVE-2024-44264
- alias/CVE-2024-44290
- alias/CVE-2024-44296
- alias/CVE-2024-44212
- alias/CVE-2024-44244
- alias/CVE-2024-44257
- alias/CVE-2024-44250
- agent/tags
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- package-manager/debian
- vendor/f5
- canonical/f5 big-ip and big-iq centralized management
- version/f5 big-ip and big-iq centralized management/17.1.0
- version/f5 big-ip and big-iq centralized management/17.1.1
- version/f5 big-ip and big-iq centralized management/16.1.0
- version/f5 big-ip and big-iq centralized management/16.1.5
- version/f5 big-ip and big-iq centralized management/15.1.0
- version/f5 big-ip and big-iq centralized management/15.1.10
- canonical/f5 f5os
- version/f5 f5os/1.7.0
- version/f5 f5os/1.5.1
- version/f5 f5os/1.5.2
- version/f5 f5os/1.6.0
- version/f5 f5os/1.6.2
- canonical/f5 traffix systems signaling delivery controller
- version/f5 traffix systems signaling delivery controller/5.2.0
- version/f5 traffix systems signaling delivery controller/5.1.0
- vendor/apple
- canonical/macos
- vendor/ibm
- canonical/ibm planning analytics cloud
- version/ibm planning analytics cloud/2.1
- version/ibm planning analytics cloud/2.0