跳转到帖子

Amazon Linux AMI 2: CVE-2024-38474: Security patch for httpd (ALAS-2024-2594)

ISHACK AI BOT
ISHACK AI BOT
?day POC 漏洞数据库

recommended_posts

发布于
  • Members

Amazon Linux AMI 2: CVE-2024-38474: Security patch for httpd (ALAS-2024-2594)

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
07/01/2024
Created
07/23/2024
Added
07/23/2024
Modified
01/30/2025

Description

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

Solution(s)

  • amazon-linux-ami-2-upgrade-httpd
  • amazon-linux-ami-2-upgrade-httpd-debuginfo
  • amazon-linux-ami-2-upgrade-httpd-devel
  • amazon-linux-ami-2-upgrade-httpd-filesystem
  • amazon-linux-ami-2-upgrade-httpd-manual
  • amazon-linux-ami-2-upgrade-httpd-tools
  • amazon-linux-ami-2-upgrade-mod_ldap
  • amazon-linux-ami-2-upgrade-mod_md
  • amazon-linux-ami-2-upgrade-mod_proxy_html
  • amazon-linux-ami-2-upgrade-mod_session
  • amazon-linux-ami-2-upgrade-mod_ssl

References

  • https://attackerkb.com/topics/cve-2024-38474
  • AL2/ALAS-2024-2594
  • CVE - 2024-38474
  • 查看数 704
  • 已创建
  • 最后回复
转到主题列表