ISHACK AI BOT

VMware Photon OS: CVE-2024-38475 Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:N) Published 07/01/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-38475 CVE - 2024-38475

Gentoo Linux: CVE-2024-38475: Apache HTTPD: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/01/2024 Created 10/01/2024 Added 09/30/2024 Modified 09/30/2024 Description Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. Solution(s) gentoo-linux-upgrade-www-servers-apache References https://attackerkb.com/topics/cve-2024-38475 CVE - 2024-38475 202409-31

F5 Networks: CVE-2024-39573: K000140693: Apache HTTP server vulnerability CVE-2024-39573 Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/01/2024 Created 08/27/2024 Added 08/23/2024 Modified 08/23/2024 Description Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Solution(s) f5-big-ip-upgrade-latest References https://attackerkb.com/topics/cve-2024-39573 CVE - 2024-39573 https://my.f5.com/manage/s/article/K000140693

Amazon Linux 2023: CVE-2024-38477: Important priority package update for httpd Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/01/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue. A flaw was found in the mod_proxy module of httpd. A NULL pointer dereference can be triggered when processing a specially crafted HTTP request, causing the httpd server to crash, and resulting in a denial of service. Solution(s) amazon-linux-2023-upgrade-httpd amazon-linux-2023-upgrade-httpd-core amazon-linux-2023-upgrade-httpd-core-debuginfo amazon-linux-2023-upgrade-httpd-debuginfo amazon-linux-2023-upgrade-httpd-debugsource amazon-linux-2023-upgrade-httpd-devel amazon-linux-2023-upgrade-httpd-filesystem amazon-linux-2023-upgrade-httpd-manual amazon-linux-2023-upgrade-httpd-tools amazon-linux-2023-upgrade-httpd-tools-debuginfo amazon-linux-2023-upgrade-mod-ldap amazon-linux-2023-upgrade-mod-ldap-debuginfo amazon-linux-2023-upgrade-mod-lua amazon-linux-2023-upgrade-mod-lua-debuginfo amazon-linux-2023-upgrade-mod-proxy-html amazon-linux-2023-upgrade-mod-proxy-html-debuginfo amazon-linux-2023-upgrade-mod-session amazon-linux-2023-upgrade-mod-session-debuginfo amazon-linux-2023-upgrade-mod-ssl amazon-linux-2023-upgrade-mod-ssl-debuginfo References https://attackerkb.com/topics/cve-2024-38477 CVE - 2024-38477 https://alas.aws.amazon.com/AL2023/ALAS-2024-656.html

Amazon Linux 2023: CVE-2024-39573: Important priority package update for httpd Severity 7 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:N) Published 07/01/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue. A flaw was found in the mod_rewrite module of httpd. A potential SSRF allows an attacker to cause unsafe rules used in the RewriteRule directive to unexpectedly set up URLs to be handled by the mod_proxy module. Solution(s) amazon-linux-2023-upgrade-httpd amazon-linux-2023-upgrade-httpd-core amazon-linux-2023-upgrade-httpd-core-debuginfo amazon-linux-2023-upgrade-httpd-debuginfo amazon-linux-2023-upgrade-httpd-debugsource amazon-linux-2023-upgrade-httpd-devel amazon-linux-2023-upgrade-httpd-filesystem amazon-linux-2023-upgrade-httpd-manual amazon-linux-2023-upgrade-httpd-tools amazon-linux-2023-upgrade-httpd-tools-debuginfo amazon-linux-2023-upgrade-mod-ldap amazon-linux-2023-upgrade-mod-ldap-debuginfo amazon-linux-2023-upgrade-mod-lua amazon-linux-2023-upgrade-mod-lua-debuginfo amazon-linux-2023-upgrade-mod-proxy-html amazon-linux-2023-upgrade-mod-proxy-html-debuginfo amazon-linux-2023-upgrade-mod-session amazon-linux-2023-upgrade-mod-session-debuginfo amazon-linux-2023-upgrade-mod-ssl amazon-linux-2023-upgrade-mod-ssl-debuginfo References https://attackerkb.com/topics/cve-2024-39573 CVE - 2024-39573 https://alas.aws.amazon.com/AL2023/ALAS-2024-656.html

GeoTools Complex: GeoServer Remote Code Execution (CVE-2024-36401) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 07/01/2024 Created 08/22/2024 Added 08/21/2024 Modified 08/22/2024 Description The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Solution(s) geotools-complex-update-latest References https://attackerkb.com/topics/cve-2024-36401 CVE - 2024-36401 https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w

Amazon Linux 2023: CVE-2024-36387: Medium priority package update for mod_http2 Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:P) Published 07/01/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. A flaw was found in the Apache HTTP Server. Serving WebSocket protocol upgrades over an HTTP/2 connection could result in a NULL pointer dereference, leading to a crash of the server process. Solution(s) amazon-linux-2023-upgrade-mod-http2 amazon-linux-2023-upgrade-mod-http2-debuginfo amazon-linux-2023-upgrade-mod-http2-debugsource References https://attackerkb.com/topics/cve-2024-36387 CVE - 2024-36387 https://alas.aws.amazon.com/AL2023/ALAS-2024-689.html

Amazon Linux 2023: CVE-2024-38473: Important priority package update for httpd Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 07/01/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue. A flaw was found in the mod_proxy module of httpd. Due to an encoding problem, specially crafted request URLs with incorrect encoding can be sent to backend services, potentially bypassing authentication. Solution(s) amazon-linux-2023-upgrade-httpd amazon-linux-2023-upgrade-httpd-core amazon-linux-2023-upgrade-httpd-core-debuginfo amazon-linux-2023-upgrade-httpd-debuginfo amazon-linux-2023-upgrade-httpd-debugsource amazon-linux-2023-upgrade-httpd-devel amazon-linux-2023-upgrade-httpd-filesystem amazon-linux-2023-upgrade-httpd-manual amazon-linux-2023-upgrade-httpd-tools amazon-linux-2023-upgrade-httpd-tools-debuginfo amazon-linux-2023-upgrade-mod-ldap amazon-linux-2023-upgrade-mod-ldap-debuginfo amazon-linux-2023-upgrade-mod-lua amazon-linux-2023-upgrade-mod-lua-debuginfo amazon-linux-2023-upgrade-mod-proxy-html amazon-linux-2023-upgrade-mod-proxy-html-debuginfo amazon-linux-2023-upgrade-mod-session amazon-linux-2023-upgrade-mod-session-debuginfo amazon-linux-2023-upgrade-mod-ssl amazon-linux-2023-upgrade-mod-ssl-debuginfo References https://attackerkb.com/topics/cve-2024-38473 CVE - 2024-38473 https://alas.aws.amazon.com/AL2023/ALAS-2024-656.html

Huawei EulerOS: CVE-2024-38474: httpd security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 07/01/2024 Created 01/23/2025 Added 01/21/2025 Modified 01/30/2025 Description Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. Solution(s) huawei-euleros-2_0_sp8-upgrade-httpd huawei-euleros-2_0_sp8-upgrade-httpd-devel huawei-euleros-2_0_sp8-upgrade-httpd-filesystem huawei-euleros-2_0_sp8-upgrade-httpd-manual huawei-euleros-2_0_sp8-upgrade-httpd-tools huawei-euleros-2_0_sp8-upgrade-mod_session huawei-euleros-2_0_sp8-upgrade-mod_ssl References https://attackerkb.com/topics/cve-2024-38474 CVE - 2024-38474 EulerOS-SA-2025-1122

Ubuntu: (Multiple Advisories) (CVE-2024-36387): Apache HTTP Server vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/01/2024 Created 07/10/2024 Added 07/09/2024 Modified 07/12/2024 Description Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. Solution(s) ubuntu-upgrade-apache2 References https://attackerkb.com/topics/cve-2024-36387 CVE - 2024-36387 USN-6885-1 USN-6885-2

Ubuntu: (Multiple Advisories) (CVE-2024-38475): Apache HTTP Server vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/01/2024 Created 07/10/2024 Added 07/09/2024 Modified 11/15/2024 Description Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. Solution(s) ubuntu-pro-upgrade-apache2 References https://attackerkb.com/topics/cve-2024-38475 CVE - 2024-38475 USN-6885-1 USN-6885-2 USN-6885-3

F5 Networks: CVE-2024-38477: K000140784: Apache HTTPD vulnerability CVE-2024-38477 Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/01/2024 Created 08/28/2024 Added 08/28/2024 Modified 01/28/2025 Description null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Solution(s) f5-big-ip-upgrade-latest References https://attackerkb.com/topics/cve-2024-38477 CVE - 2024-38477 https://my.f5.com/manage/s/article/K000140784

Amazon Linux AMI 2: CVE-2024-39573: Security patch for httpd (ALAS-2024-2594) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/01/2024 Created 07/23/2024 Added 07/23/2024 Modified 07/23/2024 Description Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Solution(s) amazon-linux-ami-2-upgrade-httpd amazon-linux-ami-2-upgrade-httpd-debuginfo amazon-linux-ami-2-upgrade-httpd-devel amazon-linux-ami-2-upgrade-httpd-filesystem amazon-linux-ami-2-upgrade-httpd-manual amazon-linux-ami-2-upgrade-httpd-tools amazon-linux-ami-2-upgrade-mod_ldap amazon-linux-ami-2-upgrade-mod_md amazon-linux-ami-2-upgrade-mod_proxy_html amazon-linux-ami-2-upgrade-mod_session amazon-linux-ami-2-upgrade-mod_ssl References https://attackerkb.com/topics/cve-2024-39573 AL2/ALAS-2024-2594 CVE - 2024-39573

SUSE: CVE-2024-36387: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/01/2024 Created 07/24/2024 Added 07/24/2024 Modified 07/24/2024 Description Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. Solution(s) suse-upgrade-apache2 suse-upgrade-apache2-devel suse-upgrade-apache2-event suse-upgrade-apache2-manual suse-upgrade-apache2-prefork suse-upgrade-apache2-utils suse-upgrade-apache2-worker References https://attackerkb.com/topics/cve-2024-36387 CVE - 2024-36387

Amazon Linux AMI 2: CVE-2024-38473: Security patch for httpd (ALAS-2024-2594) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/01/2024 Created 07/23/2024 Added 07/23/2024 Modified 07/23/2024 Description Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Solution(s) amazon-linux-ami-2-upgrade-httpd amazon-linux-ami-2-upgrade-httpd-debuginfo amazon-linux-ami-2-upgrade-httpd-devel amazon-linux-ami-2-upgrade-httpd-filesystem amazon-linux-ami-2-upgrade-httpd-manual amazon-linux-ami-2-upgrade-httpd-tools amazon-linux-ami-2-upgrade-mod_ldap amazon-linux-ami-2-upgrade-mod_md amazon-linux-ami-2-upgrade-mod_proxy_html amazon-linux-ami-2-upgrade-mod_session amazon-linux-ami-2-upgrade-mod_ssl References https://attackerkb.com/topics/cve-2024-38473 AL2/ALAS-2024-2594 CVE - 2024-38473

Amazon Linux AMI 2: CVE-2024-38476: Security patch for httpd (ALAS-2024-2594) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 07/01/2024 Created 07/23/2024 Added 07/23/2024 Modified 01/28/2025 Description Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Solution(s) amazon-linux-ami-2-upgrade-httpd amazon-linux-ami-2-upgrade-httpd-debuginfo amazon-linux-ami-2-upgrade-httpd-devel amazon-linux-ami-2-upgrade-httpd-filesystem amazon-linux-ami-2-upgrade-httpd-manual amazon-linux-ami-2-upgrade-httpd-tools amazon-linux-ami-2-upgrade-mod_ldap amazon-linux-ami-2-upgrade-mod_md amazon-linux-ami-2-upgrade-mod_proxy_html amazon-linux-ami-2-upgrade-mod_session amazon-linux-ami-2-upgrade-mod_ssl References https://attackerkb.com/topics/cve-2024-38476 AL2/ALAS-2024-2594 CVE - 2024-38476

Amazon Linux AMI 2: CVE-2024-38477: Security patch for httpd (ALAS-2024-2594) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/01/2024 Created 07/23/2024 Added 07/23/2024 Modified 01/28/2025 Description null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Solution(s) amazon-linux-ami-2-upgrade-httpd amazon-linux-ami-2-upgrade-httpd-debuginfo amazon-linux-ami-2-upgrade-httpd-devel amazon-linux-ami-2-upgrade-httpd-filesystem amazon-linux-ami-2-upgrade-httpd-manual amazon-linux-ami-2-upgrade-httpd-tools amazon-linux-ami-2-upgrade-mod_ldap amazon-linux-ami-2-upgrade-mod_md amazon-linux-ami-2-upgrade-mod_proxy_html amazon-linux-ami-2-upgrade-mod_session amazon-linux-ami-2-upgrade-mod_ssl References https://attackerkb.com/topics/cve-2024-38477 AL2/ALAS-2024-2594 CVE - 2024-38477

Oracle Linux: CVE-2024-36387: ELSA-2024-8680:mod_http2 security update (LOW) (Multiple Advisories) Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:P) Published 07/01/2024 Created 11/13/2024 Added 11/11/2024 Modified 11/27/2024 Description Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. A flaw was found in the Apache HTTP Server. Serving WebSocket protocol upgrades over an HTTP/2 connection could result in a NULL pointer dereference, leading to a crash of the server process. Solution(s) oracle-linux-upgrade-mod-http2 References https://attackerkb.com/topics/cve-2024-36387 CVE - 2024-36387 ELSA-2024-8680

Oracle Linux: CVE-2024-38474: ELSA-2024-4726:httpd security update (IMPORTANT) (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 07/01/2024 Created 08/20/2024 Added 08/16/2024 Modified 01/08/2025 Description Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. A flaw was found in the mod_rewrite module of httpd. Due to a substitution encoding issue, specially crafted requests may allow an attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant only to be executed as CGI. Solution(s) oracle-linux-upgrade-httpd oracle-linux-upgrade-httpd-core oracle-linux-upgrade-httpd-devel oracle-linux-upgrade-httpd-filesystem oracle-linux-upgrade-httpd-manual oracle-linux-upgrade-httpd-tools oracle-linux-upgrade-mod-http2 oracle-linux-upgrade-mod-ldap oracle-linux-upgrade-mod-lua oracle-linux-upgrade-mod-md oracle-linux-upgrade-mod-proxy-html oracle-linux-upgrade-mod-session oracle-linux-upgrade-mod-ssl References https://attackerkb.com/topics/cve-2024-38474 CVE - 2024-38474 ELSA-2024-4726 ELSA-2024-4943 ELSA-2024-4720

Oracle Linux: CVE-2024-38477: ELSA-2024-4726:httpd security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/01/2024 Created 08/20/2024 Added 08/16/2024 Modified 01/08/2025 Description null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue. A flaw was found in the mod_proxy module of httpd. A NULL pointer dereference can be triggered when processing a specially crafted HTTP request, causing the httpd server to crash, and resulting in a denial of service. Solution(s) oracle-linux-upgrade-httpd oracle-linux-upgrade-httpd-core oracle-linux-upgrade-httpd-devel oracle-linux-upgrade-httpd-filesystem oracle-linux-upgrade-httpd-manual oracle-linux-upgrade-httpd-tools oracle-linux-upgrade-mod-http2 oracle-linux-upgrade-mod-ldap oracle-linux-upgrade-mod-lua oracle-linux-upgrade-mod-md oracle-linux-upgrade-mod-proxy-html oracle-linux-upgrade-mod-session oracle-linux-upgrade-mod-ssl References https://attackerkb.com/topics/cve-2024-38477 CVE - 2024-38477 ELSA-2024-4726 ELSA-2024-4943 ELSA-2024-4720

FreeBSD: VID-D7EFC2AD-37AF-11EF-B611-84A93843EB75 (CVE-2024-39573): Apache httpd -- Multiple vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/01/2024 Created 07/03/2024 Added 07/02/2024 Modified 07/02/2024 Description Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Solution(s) freebsd-upgrade-package-apache24 References CVE-2024-39573

Red Hat: CVE-2024-36387: mod_http2: DoS by null pointer in websocket over HTTP/2 (Multiple Advisories) Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:P) Published 07/01/2024 Created 11/05/2024 Added 11/04/2024 Modified 11/04/2024 Description Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. Solution(s) redhat-upgrade-mod_http2 redhat-upgrade-mod_http2-debuginfo redhat-upgrade-mod_http2-debugsource References CVE-2024-36387 RHSA-2024:8680

FreeBSD: VID-F1A00122-3797-11EF-B611-84A93843EB75 (CVE-2024-6387): OpenSSH -- Race condition resulting in potential remote code execution Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 07/01/2024 Created 07/02/2024 Added 07/01/2024 Modified 01/28/2025 Description A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. Solution(s) freebsd-upgrade-base-13_2-release-p12 freebsd-upgrade-base-13_3-release-p4 freebsd-upgrade-base-14_0-release-p8 freebsd-upgrade-base-14_1-release-p2 freebsd-upgrade-package-openssh-portable References CVE-2024-6387

Amazon Linux AMI: CVE-2024-38476: Security patch for httpd24 (ALAS-2024-1944) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 07/01/2024 Created 07/27/2024 Added 07/25/2024 Modified 01/28/2025 Description Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Solution(s) amazon-linux-upgrade-httpd24 References ALAS-2024-1944 CVE-2024-38476

Amazon Linux AMI: CVE-2024-38477: Security patch for httpd24 (ALAS-2024-1944) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/01/2024 Created 07/27/2024 Added 07/25/2024 Modified 01/28/2025 Description null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Solution(s) amazon-linux-upgrade-httpd24 References ALAS-2024-1944 CVE-2024-38477