| Package | apache2 |
|---|---|
| Version | 2.4.59-1~deb10u4 (buster) |
| Related CVEs | CVE-2024-38473 |
A vulnerability was found in apache2, a popular web server.
An encoding problem in mod_proxy allowed request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.
This affects configurations where mechanisms other than ProxyPass/ProxyPassMatch or RewriteRule with the ‘P’ flag are used to configure a request to be proxied, such as SetHandler or inadvertent proxying via CVE-2024-39573.
Note that these alternate mechanisms may be used within .htaccess.
For Debian 10 buster, these problems have been fixed in version 2.4.59-1~deb10u4.
We recommend that you upgrade your apache2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.