Unrated severityNVD Advisory· Published Jul 4, 2024· Updated Feb 13, 2025

Apache HTTP Server: source code disclosure with handlers configured via AddType

CVE-2024-39884

Description

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.

Users are recommended to upgrade to version 2.4.61, which fixes this issue.

Affected products

osv-coords37 versions
pkg:bitnami/apache pkg:rpm/opensuse/apache2-devel&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/apache2&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/apache2&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/apache2&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/apache2-event&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/apache2-manual&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/apache2-prefork&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/apache2-utils&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/apache2-worker&distro=openSUSE%20Leap%2015.6 pkg:rpm/suse/apache2-devel&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6 pkg:rpm/suse/apache2&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP5 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4 pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/apache2&distro=SUSE%20Manager%20Proxy%204.3 pkg:rpm/suse/apache2&distro=SUSE%20Manager%20Server%204.3 pkg:rpm/suse/apache2-event&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6 pkg:rpm/suse/apache2-prefork&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6 pkg:rpm/suse/apache2-tls13&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/apache2-tls13&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/apache2-tls13&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/apache2-utils&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6 pkg:rpm/suse/apache2-worker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6
>= 2.4.60, < 2.4.61+ 36 more
- (no CPE)range: >= 2.4.60, < 2.4.61
- (no CPE)range: < 2.4.58-150600.5.23.1
- (no CPE)range: < 2.4.51-150400.6.34.1
- (no CPE)range: < 2.4.58-150600.5.23.1
- (no CPE)range: < 2.4.61-1.1
- (no CPE)range: < 2.4.58-150600.5.23.1
- (no CPE)range: < 2.4.58-150600.5.23.1
- (no CPE)range: < 2.4.58-150600.5.23.1
- (no CPE)range: < 2.4.58-150600.5.23.1
- (no CPE)range: < 2.4.58-150600.5.23.1
- (no CPE)range: < 2.4.58-150600.5.23.1
- (no CPE)range: < 2.4.51-150200.3.79.1
- (no CPE)range: < 2.4.51-150200.3.79.1
- (no CPE)range: < 2.4.51-150400.6.34.1
- (no CPE)range: < 2.4.51-150400.6.34.1
- (no CPE)range: < 2.4.51-150400.6.34.1
- (no CPE)range: < 2.4.58-150600.5.23.1
- (no CPE)range: < 2.4.51-150400.6.34.1
- (no CPE)range: < 2.4.58-150600.5.23.1
- (no CPE)range: < 2.4.51-150400.6.34.1
- (no CPE)range: < 2.4.51-150400.6.34.1
- (no CPE)range: < 2.4.51-35.60.1
- (no CPE)range: < 2.4.51-150200.3.79.1
- (no CPE)range: < 2.4.51-150400.6.34.1
- (no CPE)range: < 2.4.51-35.60.1
- (no CPE)range: < 2.4.51-150200.3.79.1
- (no CPE)range: < 2.4.51-150400.6.34.1
- (no CPE)range: < 2.4.51-35.60.1
- (no CPE)range: < 2.4.51-150400.6.34.1
- (no CPE)range: < 2.4.51-150400.6.34.1
- (no CPE)range: < 2.4.58-150600.5.23.1
- (no CPE)range: < 2.4.58-150600.5.23.1
- (no CPE)range: < 2.4.51-35.60.1
- (no CPE)range: < 2.4.51-35.60.1
- (no CPE)range: < 2.4.51-35.60.1
- (no CPE)range: < 2.4.58-150600.5.23.1
- (no CPE)range: < 2.4.58-150600.5.23.1
Apache Software Foundation/Apache HTTP Serverv5
Range: 2.4.60

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

httpd.apache.org/security/vulnerabilities_24.htmlmitrevendor-advisory
www.openwall.com/lists/oss-security/2024/07/17/6mitre
security.netapp.com/advisory/ntap-20240712-0002/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000