CVE-2024-43204: 
Apache HTTP Server vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Apache HTTP Server when modproxy is loaded, identified as CVE-2024-43204. The vulnerability allows an attacker to send outbound proxy requests to a URL controlled by the attacker. This requires an unlikely configuration where modheaders is configured to modify the Content-Type request or response header with a value provided in the HTTP request. The vulnerability affects Apache HTTP Server versions 2.4.0 through 2.4.63 (Apache Security).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The issue specifically occurs when modproxy is loaded and modheaders is configured to modify Content-Type headers based on request input. The vulnerability is tracked as CWE-918 (Server-Side Request Forgery) (NVD Database).

If exploited, this vulnerability allows attackers to send outbound proxy requests to attacker-controlled URLs, potentially leading to Server-Side Request Forgery attacks. This could result in unauthorized access to internal resources or services that should not be accessible externally (Ubuntu Security).

Users are recommended to upgrade to Apache HTTP Server version 2.4.64, which contains the fix for this vulnerability. The issue was discovered by xiaojunjie from 安恒信息杭州市滨江区技能大师工作室 and has been patched in the latest release (Apache Security).