{
  "threat_severity" : "Important",
  "public_date" : "2024-07-18T00:00:00Z",
  "bugzilla" : {
    "description" : "httpd: SSRF in Apache HTTP Server on Windows via mod_rewrite in server/vhost context",
    "id" : "2298648",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2298648"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-918",
  "details" : [ "SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests.\nUsers are recommended to upgrade to version 2.4.62 which fixes this issue. ", "A flaw was found in HTTPd on Windows systems. This issue potentially allows NTLM hashes to be leaked via mod_rewrite in server/vhost context to a malicious server via Server-side request forgery (SSRF) and malicious requests or content." ],
  "statement" : "This flaw only affects HTTPd running on Windows systems. Therefore, the HTTPd package as shipped in Red Hat Enterprise Linux 6, 7, 8 and 9 is not affected by this vulnerability.",
  "affected_release" : [ {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:6928",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "httpd:2.4/httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat JBoss Core Services",
    "fix_state" : "Affected",
    "package_name" : "jbcs-httpd24-httpd",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-40898\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40898\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2024-40898",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}