Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2024-39884

Опубликовано: 04 июл. 2024
Источник: debian
EPSS Низкий

Описание

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
apache2fixed2.4.61-1package
apache2not-affectedbookwormpackage

Примечания

  • https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-39884

  • Fixed by [1/4] https://github.com/apache/httpd/commit/cf3402e182f7a32eb9085a82347769cb2efe491e (trunk)

  • Fixed by [2/4] https://github.com/apache/httpd/commit/aa4b05ee0536fdbd62b02eaab91f31ae3a305129 (trunk)

  • Fixed by [3/4] https://github.com/apache/httpd/commit/8ad3ec08d4852e1fc967377dbab4e8c76b96b791 (trunk)

  • Fixed by [4/4] https://github.com/apache/httpd/commit/fbe782e6c4a7c255790b80c74d5b8ee320ec93d2 (trunk)

  • Introduced by https://github.com/apache/httpd/commit/925b6f0ceb8983a11662b5f3a6f2fa75860c2cde

  • Regression fix in 2.4.60 (likely due to fix for CVE-2024-38476)

  • [regression] Fix was not fully merged in 2.4.61 and need another patch:

  • https://github.com/apache/httpd/pull/475 (patch [3/4] from trunk)

  • [regression] Tracked at: https://bugs.debian.org/1079206

  • Regression fixed by: https://github.com/apache/httpd/commit/5f82765bc640ddb6a13a681464856bf8f8a5cb10 (2.4.x)

EPSS

Процентиль: 31%
0.00114
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2024-39884

CVSS3: 6.2
ubuntu
12 месяцев назад

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.

redhat логотип

CVE-2024-39884

CVSS3: 7.5
redhat
12 месяцев назад

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.

nvd логотип

CVE-2024-39884

CVSS3: 6.2
nvd
12 месяцев назад

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.

msrc логотип

CVE-2024-39884

CVSS3: 6.2
msrc
11 месяцев назад

Описание отсутствует

suse-cvrf логотип

SUSE-SU-2024:3061-1

suse-cvrf
10 месяцев назад

Security update for apache2

EPSS

Процентиль: 31%
0.00114
Низкий