Bug 1227276 (CVE-2024-38473)

Summary: VUL-0: CVE-2024-38473: apache2: Encoding problem in mod_proxy
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: David Anes <david.anes>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412509/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-38473:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-02 09:28:12 UTC 
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.
Users are recommended to upgrade to version 2.4.60, which fixes this issue.

References:
https://httpd.apache.org/security/vulnerabilities_24.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-38473
https://seclists.org/oss-sec/2024/q3/5
https://www.cve.org/CVERecord?id=CVE-2024-38473
https://bugzilla.redhat.com/show_bug.cgi?id=2295012
Comment 1 Thomas Leroy 2024-07-02 09:29:27 UTC 
Affected:
- SUSE:ALP:Source:Standard:1.0
- SUSE:SLE-12-SP2:Update
- SUSE:SLE-12-SP5:Update
- SUSE:SLE-15-SP2:Update
- SUSE:SLE-15-SP4:Update
- SUSE:SLE-15-SP6:Update
- SUSE:SLE-15:Update
- SUSE:SLFO:Main
- openSUSE:Factory