Main Vulnerability Database SB2024082292

SB2024082292 - SUSE update for apache2

Published: August 22, 2024 Updated: August 30, 2024

Security Bulletin ID SB2024082292

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2024-38473)

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to insufficient validation of user-supplied input when handling incorrect encoding in mod_proxy. A remote attacker can force the web server to pass request URLs with incorrect encoding to backend services.

2) Input validation error (CVE-ID: CVE-2024-38474)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in mod_rewrite when parsing encoded question marks in backreferences. A remote attacker can execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2024/suse-su-20242999-1/