{
  "threat_severity" : "Important",
  "public_date" : "2024-07-01T00:00:00Z",
  "bugzilla" : {
    "description" : "httpd: Security issues via backend applications whose response headers are malicious or exploitable",
    "id" : "2295015",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2295015"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-829",
  "details" : [ "Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.\nUsers are recommended to upgrade to version 2.4.60, which fixes this issue.", "A flaw was found in httpd. Backend applications whose response headers are malicious or exploitable may allow information disclosure, server-side request forgery (SSRF) or local script execution." ],
  "statement" : "This flaw can only be exploited by backend applications via malicious or exploitable response headers. For this reason, this flaw was rated with an important and not critical severity.\nRed Hat Enterprise Linux 6 is not affected by this vulnerability because the vulnerable code was introduced in a newer version of httpd.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5239",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-httpd-0:2.4.57-13.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5239",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_http2-0:1.15.19-41.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5239",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_jk-0:1.2.49-11.redhat_1.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5239",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_md-1:2.4.24-11.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5239",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-8.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5239",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_security-0:2.9.3-40.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5239",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.57-13.el7jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5239",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_http2-0:1.15.19-41.el7jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5239",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_jk-0:1.2.49-11.redhat_1.el7jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5239",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_md-1:2.4.24-11.el7jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5239",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-8.el7jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5239",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_security-0:2.9.3-40.el7jbcs"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.7 Advanced Update Support",
    "release_date" : "2024-09-11T00:00:00Z",
    "advisory" : "RHSA-2024:6584",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.7",
    "package" : "httpd-0:2.4.6-90.el7_7.5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2024-09-25T00:00:00Z",
    "advisory" : "RHSA-2024:7101",
    "cpe" : "cpe:/o:redhat:rhel_els:7",
    "package" : "httpd-0:2.4.6-99.el7_9.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-08-12T00:00:00Z",
    "advisory" : "RHSA-2024:5193",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "httpd:2.4-8100020240807144746.489197e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2024-09-11T00:00:00Z",
    "advisory" : "RHSA-2024:6583",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.2",
    "package" : "httpd:2.4-8020020240821201937.4cda2c84"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6467",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.4",
    "package" : "httpd:2.4-8040020240821201239.522a0ee4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6467",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.4",
    "package" : "httpd:2.4-8040020240821201239.522a0ee4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6467",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.4",
    "package" : "httpd:2.4-8040020240821201239.522a0ee4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6468",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.6",
    "package" : "httpd:2.4-8060020240820194205.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6468",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.6",
    "package" : "httpd:2.4-8060020240820194205.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2024-09-09T00:00:00Z",
    "advisory" : "RHSA-2024:6468",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.6",
    "package" : "httpd:2.4-8060020240820194205.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-09-03T00:00:00Z",
    "advisory" : "RHSA-2024:6136",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.8",
    "package" : "httpd:2.4-8080020240820193327.63b34585"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-08-08T00:00:00Z",
    "advisory" : "RHSA-2024:5138",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "httpd-0:2.4.57-11.el9_4.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2024-08-26T00:00:00Z",
    "advisory" : "RHSA-2024:5832",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "httpd-0:2.4.51-7.el9_0.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-08-26T00:00:00Z",
    "advisory" : "RHSA-2024:5812",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "httpd-0:2.4.53-11.el9_2.11"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5240",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "jbcs-httpd24-httpd"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-38476\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-38476\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-38476" ],
  "name" : "CVE-2024-38476",
  "mitigation" : {
    "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
    "lang" : "en:us"
  },
  "csaw" : false
}