CVE-2024-47252

EUVD-2024-54773
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.

In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
Affected Products (NVD)
VendorProductVersion
apachehttp_server
2.4.0 ≤
𝑥
< 2.4.64
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
apache2
bookworm
2.4.65-1~deb12u1
fixed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
2.4.65-1~deb11u1
fixed
forky
2.4.65-3
fixed
sid
2.4.66-2
fixed
trixie
2.4.65-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
apache2
bionic
Fixed 2.4.29-1ubuntu4.27+esm6
released
focal
Fixed 2.4.41-4ubuntu3.23+esm2
released
jammy
Fixed 2.4.52-1ubuntu4.15
released
noble
Fixed 2.4.58-1ubuntu8.7
released
plucky
Fixed 2.4.63-1ubuntu1.1
released
questing
Fixed 2.4.64-1ubuntu2
released
trusty
needs-triage
xenial
Fixed 2.4.18-2ubuntu3.17+esm16
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
apache2
suse enterprise desktop 15 SP6
2.4.58-150600.5.35.1
fixed
suse enterprise desktop 15 SP7
2.4.62-150700.4.3.1
fixed
suse enterprise sap 15 SP4
2.4.51-150400.6.46.1
fixed
suse enterprise sap 15 SP5
2.4.51-150400.6.46.1
fixed
suse enterprise sap 15 SP6
2.4.58-150600.5.35.1
fixed
suse enterprise sap 15 SP7
2.4.62-150700.4.3.1
fixed
suse enterprise server 12 SP3
2.4.51-29.128.1
fixed
suse enterprise server 12 SP5
2.4.51-35.69.1
fixed
suse enterprise server 15 SP2
2.4.51-150200.3.82.1
fixed
suse enterprise server 15 SP3
2.4.51-150200.3.82.1
fixed
suse enterprise server 15 SP4
2.4.51-150400.6.46.1
fixed
suse enterprise server 15 SP5
2.4.51-150400.6.46.1
fixed
suse enterprise server 15 SP6
2.4.58-150600.5.35.1
fixed
suse enterprise server 15 SP7
2.4.62-150700.4.3.1
fixed
apache2-devel
suse enterprise sap 15 SP4
2.4.51-150400.6.46.1
fixed
suse enterprise sap 15 SP5
2.4.51-150400.6.46.1
fixed
suse enterprise sap 15 SP6
2.4.58-150600.5.35.1
fixed
suse enterprise sap 15 SP7
2.4.62-150700.4.3.1
fixed
suse enterprise server 12 SP5
2.4.51-35.69.1
fixed
suse enterprise server 15 SP2
2.4.51-150200.3.82.1
fixed
suse enterprise server 15 SP3
2.4.51-150200.3.82.1
fixed
suse enterprise server 15 SP4
2.4.51-150400.6.46.1
fixed
suse enterprise server 15 SP5
2.4.51-150400.6.46.1
fixed
suse enterprise server 15 SP6
2.4.58-150600.5.35.1
fixed
suse enterprise server 15 SP7
2.4.62-150700.4.3.1
fixed
apache2-doc
suse enterprise sap 15 SP4
2.4.51-150400.6.46.1
fixed
suse enterprise sap 15 SP5
2.4.51-150400.6.46.1
fixed
suse enterprise sap 15 SP6
2.4.51-150400.6.46.1
fixed
suse enterprise sap 15 SP7
2.4.51-150400.6.46.1
fixed
suse enterprise server 12 SP3
2.4.51-29.128.1
fixed
suse enterprise server 12 SP5
2.4.51-35.69.1
fixed
suse enterprise server 15 SP2
2.4.51-150200.3.82.1
fixed
suse enterprise server 15 SP3
2.4.51-150200.3.82.1
fixed
suse enterprise server 15 SP4
2.4.51-150400.6.46.1
fixed
suse enterprise server 15 SP5
2.4.51-150400.6.46.1
fixed
suse enterprise server 15 SP6
2.4.51-150400.6.46.1
fixed
suse enterprise server 15 SP7
2.4.51-150400.6.46.1
fixed
apache2-example-pages
suse enterprise server 12 SP3
2.4.51-29.128.1
fixed
suse enterprise server 12 SP5
2.4.51-35.69.1
fixed
apache2-prefork
suse enterprise desktop 15 SP6
2.4.58-150600.5.35.1
fixed
suse enterprise desktop 15 SP7
2.4.62-150700.4.3.1
fixed
suse enterprise sap 15 SP4
2.4.51-150400.6.46.1
fixed
suse enterprise sap 15 SP5
2.4.51-150400.6.46.1
fixed
suse enterprise sap 15 SP6
2.4.58-150600.5.35.1
fixed
suse enterprise sap 15 SP7
2.4.62-150700.4.3.1
fixed
suse enterprise server 12 SP3
2.4.51-29.128.1
fixed
suse enterprise server 12 SP5
2.4.51-35.69.1
fixed
suse enterprise server 15 SP2
2.4.51-150200.3.82.1
fixed
suse enterprise server 15 SP3
2.4.51-150200.3.82.1
fixed
suse enterprise server 15 SP4
2.4.51-150400.6.46.1
fixed
suse enterprise server 15 SP5
2.4.51-150400.6.46.1
fixed
suse enterprise server 15 SP6
2.4.58-150600.5.35.1
fixed
suse enterprise server 15 SP7
2.4.62-150700.4.3.1
fixed
apache2-tls13
suse enterprise server 12 SP5
2.4.51-35.69.1
fixed
apache2-tls13-devel
suse enterprise server 12 SP5
2.4.51-35.69.1
fixed
apache2-tls13-doc
suse enterprise server 12 SP5
2.4.51-35.69.1
fixed
apache2-tls13-example-pages
suse enterprise server 12 SP5
2.4.51-35.69.1
fixed
apache2-tls13-prefork
suse enterprise server 12 SP5
2.4.51-35.69.1
fixed
apache2-tls13-utils
suse enterprise server 12 SP5
2.4.51-35.69.1
fixed
apache2-tls13-worker
suse enterprise server 12 SP5
2.4.51-35.69.1
fixed
apache2-utils
suse enterprise sap 15 SP4
2.4.51-150400.6.46.1
fixed
suse enterprise sap 15 SP5
2.4.51-150400.6.46.1
fixed
suse enterprise sap 15 SP6
2.4.58-150600.5.35.1
fixed
suse enterprise sap 15 SP7
2.4.62-150700.4.3.1
fixed
suse enterprise server 12 SP3
2.4.51-29.128.1
fixed
suse enterprise server 12 SP5
2.4.51-35.69.1
fixed
suse enterprise server 15 SP2
2.4.51-150200.3.82.1
fixed
suse enterprise server 15 SP3
2.4.51-150200.3.82.1
fixed
suse enterprise server 15 SP4
2.4.51-150400.6.46.1
fixed
suse enterprise server 15 SP5
2.4.51-150400.6.46.1
fixed
suse enterprise server 15 SP6
2.4.58-150600.5.35.1
fixed
suse enterprise server 15 SP7
2.4.62-150700.4.3.1
fixed
apache2-worker
suse enterprise sap 15 SP4
2.4.51-150400.6.46.1
fixed
suse enterprise sap 15 SP5
2.4.51-150400.6.46.1
fixed
suse enterprise sap 15 SP6
2.4.58-150600.5.35.1
fixed
suse enterprise sap 15 SP7
2.4.62-150700.4.3.1
fixed
suse enterprise server 12 SP3
2.4.51-29.128.1
fixed
suse enterprise server 12 SP5
2.4.51-35.69.1
fixed
suse enterprise server 15 SP2
2.4.51-150200.3.82.1
fixed
suse enterprise server 15 SP3
2.4.51-150200.3.82.1
fixed
suse enterprise server 15 SP4
2.4.51-150400.6.46.1
fixed
suse enterprise server 15 SP5
2.4.51-150400.6.46.1
fixed
suse enterprise server 15 SP6
2.4.58-150600.5.35.1
fixed
suse enterprise server 15 SP7
2.4.62-150700.4.3.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
httpd
RHEL 9
0:2.4.62-4.el9_6.4
fixed
httpd-core
RHEL 9
0:2.4.62-4.el9_6.4
fixed
httpd-devel
RHEL 9
0:2.4.62-4.el9_6.4
fixed
httpd-filesystem
RHEL 9
0:2.4.62-4.el9_6.4
fixed
httpd-manual
RHEL 9
0:2.4.62-4.el9_6.4
fixed
httpd-tools
RHEL 9
0:2.4.62-4.el9_6.4
fixed
mod
RHEL 9
1:2.4.62-4.el9_6.4
fixed
Common Weakness Enumeration
References
https://httpd.apache.org/security/vulnerabilities_24.html
http://www.openwall.com/lists/oss-security/2025/07/10/2
http://www.openwall.com/lists/oss-security/2025/07/10/6
https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html