Bug 2295012 (CVE-2024-38473)

Summary: CVE-2024-38473 httpd: Encoding problem in mod_proxy
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akapse, csutherl, hmatsumo, jclere, pjindal, plodge, szappis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the mod_proxy module of httpd. Due to an encoding problem, specially crafted request URLs with incorrect encoding can be sent to backend services, potentially bypassing authentication.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2295109    
Bug Blocks:    

Description OSIDB Bzimport 2024-07-01 19:21:42 UTC 
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.
Users are recommended to upgrade to version 2.4.60, which fixes this issue.
Comment 2 errata-xmlrpc 2024-07-23 08:49:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4720 https://access.redhat.com/errata/RHSA-2024:4720
Comment 3 errata-xmlrpc 2024-07-23 13:18:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:4726 https://access.redhat.com/errata/RHSA-2024:4726
Comment 4 errata-xmlrpc 2024-08-05 09:00:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:5001 https://access.redhat.com/errata/RHSA-2024:5001
Comment 5 errata-xmlrpc 2024-08-13 13:06:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2024:5240 https://access.redhat.com/errata/RHSA-2024:5240
Comment 6 errata-xmlrpc 2024-08-13 13:08:03 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2024:5239 https://access.redhat.com/errata/RHSA-2024:5239