Wiz Agents & Workflows are here
Wiz
Vulnerability DatabaseCVE-2024-38473

CVE-2024-38473
Apache HTTP Server vulnerability analysis and mitigation

Overview

A moderate severity vulnerability (CVE-2024-38473) was identified in the mod_proxy module of Apache HTTP Server versions 2.4.59 and earlier. The vulnerability stems from an encoding problem that allows request URLs with incorrect encoding to be sent to backend services (Apache Httpd, CVE Mitre).

Technical details

The vulnerability affects configurations where mechanisms other than ProxyPass/ProxyPassMatch or RewriteRule with the 'P' flag are used to configure a request to be proxied, such as SetHandler or inadvertent proxying. This includes configurations where these alternate mechanisms may be used within .htaccess files. The issue allows request URLs with incorrect encoding to be sent to backend services (Apache Httpd).

Impact

When successfully exploited, this vulnerability could potentially lead to authentication bypass via crafted requests. The vulnerability has been assigned a CVSS score of 8.1 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (NetApp Security).

Mitigation and workarounds

Users are recommended to upgrade to Apache HTTP Server version 2.4.60, which contains the fix for this vulnerability. The issue was reported by Orange Tsai (@orange_8361) from DEVCORE and was fixed in version 2.4.60 released on July 1, 2024 (Apache Httpd).

Additional resources

SourceThis report was generated using AI

Related Apache HTTP Server vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-58098HIGH8.3
  • Apache HTTP ServerApache HTTP Server
  • httpd:2.4::mod_md
NoYesDec 05, 2025
CVE-2025-59775HIGH7.5
  • Apache HTTP ServerApache HTTP Server
  • apache
NoYesDec 05, 2025
CVE-2025-65082MEDIUM6.5
  • Apache HTTP ServerApache HTTP Server
  • apache2-tls13-doc
NoYesDec 05, 2025
CVE-2025-66200MEDIUM5.4
  • Apache HTTP ServerApache HTTP Server
  • httpd-core
NoYesDec 05, 2025
ELSA-2025-23919HIGHN/A
  • Apache HTTP ServerApache HTTP Server
  • httpd-tools
NoYesDec 22, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo