oss-security - CVE-2024-47252: Apache HTTP Server: mod

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <4b5a13c9-7e55-f0cd-cf17-289b92faeab0@apache.org>
Date: Thu, 10 Jul 2025 17:13:54 +0000
From: Eric Covener <covener@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-47252: Apache HTTP Server: mod_ssl error log variable
 escaping 

Severity: low 

Affected versions:

- Apache HTTP Server 2.4 through 2.4.63

Description:

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.

In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.

Credit:

John Runyon (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-47252

Timeline:

2024-09-18: reported
2025-07-07: 2.4.x revision 1927042

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.