CRITICAL · CVSS 9.1
CVE-2024-38475 — Apache httpd mod_rewrite file-system escape
A mod_rewrite misconfiguration under certain rule patterns allowed attackers to escape the document root and serve arbitrary files from the filesystem.
Affects
- Apache HTTP Server 2.4.59 and earlier
What an attacker does
With specific RewriteRule patterns that substitute URL parts into filesystem paths, an attacker crafts a URL that normalises into a path outside the document root, reading application source code or secrets.
How to detect
Apache version + rewrite-rule audit.
How to fix
Upgrade Apache httpd to 2.4.60+.
Securie findingcritical · CVSS 9.1
CVE-2024-38475How Securie catches CVE-2024-38475
Securie's IaC specialist flags vulnerable Apache versions + problematic RewriteRule patterns.
Scan my repo for CVE-2024-38475 →Securie reviews every PR · proves real issues · opens verified fix PRs