CVE-2024-38472

HIGH severity · CVSS 7.5 · Server-side request forgery (SSRF)

7.5CVSS HIGH

Summary

SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactNone

Availability impactNone

Exploit probability (EPSS)91%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products we track (2)

Apache HTTP Server NetApp ONTAP

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
https://httpd.apache.org/security/vulnerabilities_24.htmlAdvisory
https://httpd.apache.org/security/vulnerabilities_24.htmlAdvisory
http://www.openwall.com/lists/oss-security/2024/07/01/5
https://security.netapp.com/advisory/ntap-20240712-0001/Advisory