How severe is CVE-2024-38475?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2024-38475?

This is classified as CWE-116, which is a common weakness in software security.

CVE-2024-38475 - CRITICAL Severity | CVSS 9.1

Vulnerability Description

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

Related Vulnerabilities

CVE-2023-3668

CRITICAL

CVSS:9.1(Critical)

Improper Encoding or Escaping of Output in GitHub repository froxlor/froxlor prior to 2.0.21.

CWE-1162023

CVE-2024-56524

CRITICAL

CVSS:9.1(Critical)

Radware Cloud Web Application Firewall (WAF) before 2025-05-07 allows remote attackers to bypass firewall filters by adding a special character to the request.

CWE-1162024

CVE-2025-32974

CRITICAL

CVSS:9.0(Critical)

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default cont...

CWE-1162025

CVE-2013-2011

HIGH

CVSS:8.8(High)

WordPress W3 Super Cache Plugin before 1.3.2 contains a PHP code-execution vulnerability which could allow remote attackers to inject arbitrary code. This issue exists because of an incomplete fix for...

CWE-1162013

CVE-2014-9938

HIGH

CVSS:8.8(High)

contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.

CWE-1162014

CVE-2018-8609

HIGH

CVSS:8.8(High)

A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) version 8 when the server fails to properly sanitize web requests to an affected Dynamics server, aka "Microsoft Dy...

CWE-1162018