CVE-2024-38477: 
Apache HTTP Server vulnerability analysis and mitigation

A null pointer dereference vulnerability (CVE-2024-38477) was discovered in modproxy component of Apache HTTP Server versions 2.4.59 and earlier. The vulnerability allows an attacker to crash the server through a malicious request, leading to a denial of service condition. The issue was discovered by Orange Tsai (@orange8361) from DEVCORE and was publicly disclosed on July 1, 2024 (OSS Security, Apache Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue stems from a null pointer dereference in the mod_proxy module when processing certain malicious requests. The vulnerability is tracked as CWE-476 (NULL Pointer Dereference) (NVD).

When successfully exploited, this vulnerability can cause the Apache HTTP Server to crash, resulting in a denial of service condition. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (NetApp Advisory).

Users are strongly recommended to upgrade to Apache HTTP Server version 2.4.60, which contains the fix for this vulnerability. The issue was addressed in the 2.4.60 release (Apache Advisory).