CVE-2024-38474: 
Apache HTTP Server vulnerability analysis and mitigation

A substitution encoding issue was discovered in modrewrite module of Apache HTTP Server versions 2.4.0 through 2.4.59. The vulnerability (CVE-2024-38474) was reported by Orange Tsai (@orange8361) from DEVCORE on April 1, 2024, and was fixed in version 2.4.60 released on July 1, 2024 (Apache Vulnerabilities, OSS Security).

The vulnerability allows attackers to execute scripts in directories that are permitted by the configuration but not directly reachable by any URL, or enables source disclosure of scripts meant to only be executed as CGI. After the fix, some RewriteRules that capture and substitute unsafely will fail unless the rewrite flag 'UnsafeAllow3F' is specified. The vulnerability has been rated as having an Important security impact with a CVSS score of 8.1 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H (NetApp Advisory).

When successfully exploited, this vulnerability could lead to unauthorized script execution in permitted directories that are not meant to be directly accessible. Additionally, it could result in the disclosure of source code for scripts that are intended to be executed only as CGI applications (Apache Vulnerabilities).

Users are strongly recommended to upgrade to Apache HTTP Server version 2.4.60 or later, which contains the fix for this vulnerability. For configurations that require maintaining potentially unsafe RewriteRules, administrators must explicitly enable the 'UnsafeAllow3F' flag. Various vendors have also released patches for their affected products, such as Red Hat's updates for Enterprise Linux (Red Hat Advisory).