CVE-2024-38472: 
Apache HTTP Server vulnerability analysis and mitigation

SSRF (Server-Side Request Forgery) vulnerability in Apache HTTP Server on Windows (CVE-2024-38472) allows potential leakage of NTLM hashes to a malicious server through SSRF and malicious requests or content. The vulnerability was discovered by Orange Tsai from DEVCORE and affects Apache HTTP Server versions 2.4.0 through 2.4.59. Users are recommended to upgrade to version 2.4.60 which includes the fix (Apache Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction. The vulnerability specifically affects Windows deployments of Apache HTTP Server, where malicious requests can trigger NTLM hash leakage. After applying the fix, existing configurations that access UNC paths will require configuration of a new directive called 'UNCList' to allow access during request processing (NetApp Advisory).

The successful exploitation of this vulnerability could lead to the disclosure of sensitive NTLM hashes to a malicious server. This information disclosure could potentially be used by attackers for further attacks against the Windows infrastructure. The vulnerability is rated as HIGH severity due to its potential for exposing authentication credentials (NetApp Advisory).

The primary mitigation is to upgrade to Apache HTTP Server version 2.4.60 or later. After upgrading, administrators must configure the new 'UNCList' directive if their deployment uses UNC paths. This new directive is required to allow access during request processing (Apache Advisory).