Bug 1227276 (CVE-2024-38473) - VUL-0: CVE-2024-38473: apache2: Encoding problem in mod_proxy
Summary: VUL-0: CVE-2024-38473: apache2: Encoding problem in mod_proxy
Status: NEW
Alias: CVE-2024-38473
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: David Anes
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/412509/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-38473:5.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-07-02 09:28 UTC by SMASH SMASH
Modified: 2024-07-17 12:41 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-07-02 09:28:12 UTC 
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.
Users are recommended to upgrade to version 2.4.60, which fixes this issue.

References:
https://httpd.apache.org/security/vulnerabilities_24.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-38473
https://seclists.org/oss-sec/2024/q3/5
https://www.cve.org/CVERecord?id=CVE-2024-38473
https://bugzilla.redhat.com/show_bug.cgi?id=2295012
Comment 1 Thomas Leroy 2024-07-02 09:29:27 UTC 
Affected:
- SUSE:ALP:Source:Standard:1.0
- SUSE:SLE-12-SP2:Update
- SUSE:SLE-12-SP5:Update
- SUSE:SLE-15-SP2:Update
- SUSE:SLE-15-SP4:Update
- SUSE:SLE-15-SP6:Update
- SUSE:SLE-15:Update
- SUSE:SLFO:Main
- openSUSE:Factory