CVE-2024-47252

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.

In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
apacheCNA
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
VendorProductVersion
apachehttp_server
2.4.0 ≤
𝑥
< 2.4.64
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
apache2
bullseye
vulnerable
bookworm
no-dsa
bullseye (security)
2.4.65-1~deb11u1
fixed
bookworm (security)
vulnerable
trixie
2.4.65-2
fixed
forky
2.4.65-3
fixed
sid
2.4.65-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
apache2
plucky
Fixed 2.4.63-1ubuntu1.1
released
noble
Fixed 2.4.58-1ubuntu8.7
released
jammy
Fixed 2.4.52-1ubuntu4.15
released
focal
Fixed 2.4.41-4ubuntu3.23+esm2
released
bionic
Fixed 2.4.29-1ubuntu4.27+esm6
released
xenial
Fixed 2.4.18-2ubuntu3.17+esm16
released
trusty
needs-triage
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://httpd.apache.org/security/vulnerabilities_24.html