Alpine: apache2: security update to 2.4.60-r0

critical Tenable Self-Hosted Container Security Plugin ID 408465

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure,
SSRF or local script execution via backend applications whose response headers are malicious or
exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue. (CVE-2024-38476)

- Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference,
leading to a crash of the server process, degrading performance. (CVE-2024-36387)

- SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via
SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this
issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList"
to allow access during request processing. (CVE-2024-38472)

- Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect
encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users
are recommended to upgrade to version 2.4.60, which fixes this issue. (CVE-2024-38473)

- Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to
execute scripts in directories permitted by the configuration but not directly reachable by any URL or
source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to
version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now
fail unless rewrite flag "UnsafeAllow3F" is specified. (CVE-2024-38474)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-36387

https://security.alpinelinux.org/vuln/CVE-2024-38472

https://security.alpinelinux.org/vuln/CVE-2024-38473

https://security.alpinelinux.org/vuln/CVE-2024-38474

https://security.alpinelinux.org/vuln/CVE-2024-38475

https://security.alpinelinux.org/vuln/CVE-2024-38476

https://security.alpinelinux.org/vuln/CVE-2024-38477

https://security.alpinelinux.org/vuln/CVE-2024-39573

Plugin Details

Severity: Critical

ID: 408465

Version: Revision 1.35

Type: Local

Published: 7/1/2024

Updated: 11/3/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: High

Score: 7.3

Percentile: 98.46

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-38476

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 7/1/2024

Reference Information

CVE: CVE-2024-36387, CVE-2024-38472, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, CVE-2024-38477, CVE-2024-39573

IAVA: 2024-A-0378-S