Cyber Resilience

CVE-2024-38473

High

Published: 01 July 2024

Published
01 July 2024
Modified
01 July 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.8854 99.5th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38473 is a high-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Apache Http Server. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-38473 is an encoding flaw in the mod_proxy module of Apache HTTP Server versions 2.4.59 and earlier. The defect allows specially crafted request URLs containing incorrect encoding to be forwarded to backend services, which can result in authentication bypass. The vulnerability is tracked under CWE-116 and carries a CVSS 3.1 score of 8.1.

An attacker with low privileges and network access can send malformed requests through the proxy. Successful exploitation may expose sensitive data from protected backends or disrupt service availability without requiring user interaction.

Apache recommends immediate upgrade to version 2.4.60. Corresponding advisories from the Apache project and NetApp detail the fixed release and urge administrators to apply the update to eliminate the encoding mishandling in mod_proxy. The associated EPSS score has remained at 0.8854 since disclosure.

EU & UK References

Vulnerability details

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this…

more

issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
http server
2.4.0 — 2.4.60
netapp
ontap
9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-116

Validating that output matches expected content directly mitigates failures to properly encode or escape data for its destination context.

References