Bug 1227353 (CVE-2024-39884)

Summary: VUL-0: CVE-2024-39884: apache2: source code disclosure with handlers configured via AddType
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: David Anes <david.anes>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, camila.matos
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412787/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-39884:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Camila Camargo de Matos 2024-07-03 16:39:09 UTC 
Severity: important

Affected versions:

- Apache HTTP Server 2.4.60

Description:

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration 
of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, 
result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.

Users are recommended to upgrade to version 2.4.61, which fixes this issue.

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-39884

Timeline:

2024-07-01: reported

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39884
https://seclists.org/oss-sec/2024/q3/22
https://www.cve.org/CVERecord?id=CVE-2024-39884
Comment 6 Alexander Bergmann 2024-07-18 08:40:48 UTC 
It looks like the fix for this issue is not complete. There is a new bsc#1228097 with CVE-2024-40725 that references this CVE.