CVE-2024-38475: 
Apache HTTP Server vulnerability analysis and mitigation

Improper escaping of output in modrewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL. The vulnerability was discovered by Orange Tsai (@orange8361) from DEVCORE and was reported on April 1, 2024. The issue affects Apache HTTP Server versions 2.4.0 through 2.4.59 (Apache Advisory).

The vulnerability occurs when substitutions in server context use backreferences or variables as the first segment of the substitution. This can lead to improper path mapping, potentially exposing filesystem locations that should not be directly accessible. The vulnerability has been assigned a CVSS base score of 9.1 CRITICAL with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (CISA ADP).

Successful exploitation of this vulnerability could result in code execution or source code disclosure. The attacker can map URLs to filesystem locations that are permitted to be served by the server but are not intentionally or directly reachable by any URL (Apache Advisory, OSS Security).

The vulnerability has been fixed in Apache HTTP Server version 2.4.60. Users are recommended to upgrade to this version. For configurations that require the previous behavior, a new rewrite flag "UnsafePrefixStat" has been introduced, which can be used after ensuring the substitution is appropriately constrained (Apache Advisory).