Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <84cbcd48-3bf5-0623-0d72-97008c12add1@apache.org>
Date: Thu, 10 Jul 2025 17:12:36 +0000
From: Eric Covener <covener@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-43204: Apache HTTP Server: SSRF with mod_headers setting
 Content-Type header 

Severity: low 

Affected versions:

- Apache HTTP Server 2.4.0 through 2.4.63

Description:

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker.  Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.

Users are recommended to upgrade to version 2.4.64 which fixes this issue.

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-43204

Timeline:

2024-08-07: reported
2025-07-07: 2.4.x revision

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.