CVE-2024-38475 Information

Description

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL resulting in code execution or source code disclosure.

Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag �nsafePrefixStat\ can be used to opt back in once ensuring the substitution is appropriately constrained.

Reference

https://httpd.apache.org/security/vulnerabilities_24.html