CVE-2024-39884: 
Apache HTTP Server vulnerability analysis and mitigation

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. 'AddType' and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. The vulnerability was discovered on July 1, 2024, and was assigned CVE-2024-39884 (Apache Security, OSS Security).

The vulnerability affects Apache HTTP Server version 2.4.60 and involves a regression in how the server handles legacy content-type based configuration of handlers. When files are requested indirectly, the server may ignore the configured handlers, leading to source code disclosure instead of proper interpretation of files. The issue has been assigned a CVSS v3.1 base score of 6.2 (MEDIUM) with the vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The primary impact of this vulnerability is the potential disclosure of sensitive information through source code exposure. In particular, script files (such as PHP) that should be executed by their respective handlers may instead be served as plain text, revealing their source code to attackers (NetApp Security).

Users are recommended to upgrade to Apache HTTP Server version 2.4.61, which contains the fix for this vulnerability. The issue was addressed in the core server code and released on July 3, 2024 (Apache Security).