Description

A series of "Confusion Attacks" have been discovered in Apache HTTP Server, exploiting inconsistencies in how different modules interpret and process data. These attacks include Filename Confusion, DocumentRoot Confusion, and Handler Confusion, which can lead to various security issues including bypassing access controls, arbitrary file access, and execution of unintended handlers.

Remediation

Update to the latest version of Apache HTTP Server that addresses these Confusion Attacks. Carefully review and test all RewriteRules, especially those with user-controllable input. Limit the use of FollowSymLinks option and restrict access to sensitive directories. Regularly audit server configurations and installed modules for potential security issues.

References

[EN] Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!

Apache HTTP Server 2.4 vulnerabilities

Related Vulnerabilities

OpenSSL Resource Management Errors Vulnerability (CVE-2015-1792)

phpMyFAQ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-14619)

OpenSSL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-0702)

ownCloud Improper Restriction of XML External Entity Reference Vulnerability (CVE-2014-2052)

MySQL CVE-2021-2144 Vulnerability (CVE-2021-2144)

Severity

High

Classification

CVE-2024-38472 CVE-2024-39573 CVE-2024-38477 CVE-2024-38476 CVE-2024-38475 CVE-2024-38474 CVE-2024-38473 CVE-2023-38709 CWE-436 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Tags

Known Vulnerabilities