CRITICAL · CVSS 9.1
CVE-2024-38475 — Apache httpd mod_rewrite file-system escape
A mod_rewrite misconfiguration under certain rule patterns allowed attackers to escape the document root and serve arbitrary files from the filesystem.
Affects
- Apache HTTP Server 2.4.59 and earlier
What an attacker does
With specific RewriteRule patterns that substitute URL parts into filesystem paths, an attacker crafts a URL that normalises into a path outside the document root, reading application source code or secrets.
How to detect
Apache version + rewrite-rule audit.
How to fix
Upgrade Apache httpd to 2.4.60+.
How Securie catches it
Securie's IaC scanner flags vulnerable Apache versions + problematic RewriteRule patterns.