Bug 1227269 (CVE-2024-38476)

Summary: VUL-0: CVE-2024-38476: apache2,apache2-tls13: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: David Anes <david.anes>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: andrea.mattiazzo
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412506/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-38476:8.1:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-02 08:08:46 UTC 
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerable to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.

Users are recommended to upgrade to version 2.4.60, which fixes this issue.

References:
https://httpd.apache.org/security/vulnerabilities_24.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-38476
https://seclists.org/oss-sec/2024/q3/8
https://www.cve.org/CVERecord?id=CVE-2024-38476
Comment 5 Maintenance Automation 2024-07-18 16:43:03 UTC 
SUSE-SU-2024:2560-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1227269
CVE References: CVE-2024-38476
Maintenance Incident: [SUSE:Maintenance:34772](https://smelt.suse.de/incident/34772/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 apache2-tls13-2.4.51-35.54.1, apache2-2.4.51-35.54.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 apache2-tls13-2.4.51-35.54.1, apache2-2.4.51-35.54.1
SUSE Linux Enterprise Server 12 SP5 (src):
 apache2-tls13-2.4.51-35.54.1, apache2-2.4.51-35.54.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 apache2-tls13-2.4.51-35.54.1, apache2-2.4.51-35.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.