Bug 2297362 (CVE-2024-40725) - CVE-2024-40725 httpd: source code disclosure with handlers configured via AddType
Summary: CVE-2024-40725 httpd: source code disclosure with handlers configured via Add...
Keywords:
Status: NEW
Alias: CVE-2024-40725
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2298751
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-11 16:53 UTC by Guilherme de Almeida Suckevicz
Modified: 2025-05-16 08:27 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2024-07-11 16:53:42 UTC 
A partial fix for  CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue.

Reference:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-40725
Comment 1 林博仁(Buo-ren, Lin) 2024-12-18 05:46:47 UTC 
For the record, [the CVE-2024-39884 patch in the 2.4.37-65.module+el8.10.0+22196 version of the httpd package](https://git.rockylinux.org/staging/rpms/httpd/-/blame/r8-stream-2.4/SOURCES/httpd-2.4.37-CVE-2024-39884+.patch?ref_type=heads#L224) already includes [the upstream fix of CVE-2024-40725](https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http/http_request.c?r1=1919249&r2=1919248&pathrev=1919249).
Note You need to log in before you can comment on or make changes to this bug.