Bug 1227269 (CVE-2024-38476) - VUL-0: CVE-2024-38476: apache2,apache2-tls13: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
Summary: VUL-0: CVE-2024-38476: apache2,apache2-tls13: Apache HTTP Server may use expl...
Status: IN_PROGRESS
Alias: CVE-2024-38476
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Normal
Target Milestone: ---
Assignee: David Anes
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/412506/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-38476:8.1:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-02 08:08 UTC by SMASH SMASH
Modified: 2024-07-18 16:43 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-07-02 08:08:46 UTC 
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerable to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.

Users are recommended to upgrade to version 2.4.60, which fixes this issue.

References:
https://httpd.apache.org/security/vulnerabilities_24.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-38476
https://seclists.org/oss-sec/2024/q3/8
https://www.cve.org/CVERecord?id=CVE-2024-38476
Comment 5 Maintenance Automation 2024-07-18 16:43:03 UTC 
SUSE-SU-2024:2560-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1227269
CVE References: CVE-2024-38476
Maintenance Incident: [SUSE:Maintenance:34772](https://smelt.suse.de/incident/34772/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 apache2-tls13-2.4.51-35.54.1, apache2-2.4.51-35.54.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 apache2-tls13-2.4.51-35.54.1, apache2-2.4.51-35.54.1
SUSE Linux Enterprise Server 12 SP5 (src):
 apache2-tls13-2.4.51-35.54.1, apache2-2.4.51-35.54.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 apache2-tls13-2.4.51-35.54.1, apache2-2.4.51-35.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.