CVE-2024-40725: 
Apache HTTP Server vulnerability analysis and mitigation

A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. The vulnerability affects Apache HTTP Server versions 2.4.60 through 2.4.61, where 'AddType' and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted (Apache Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and affects only confidentiality with low impact (NVD).

This vulnerability allows unauthenticated remote users to view local content that was not intended to be served or shared, such as PHP scripts. The flaw could lead to the disclosure of sensitive information when files are requested indirectly through specific configurations (Red Hat).

Users are recommended to upgrade to Apache HTTP Server version 2.4.62, which contains the fix for this vulnerability. This is currently the only confirmed mitigation for the issue (Apache Advisory).