CVE-2024-43394

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-43394
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-43394.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-43394
Aliases
Downstream
Published
2025-07-10T17:15:46Z
Modified
2025-08-12T18:01:35Z
Summary
[none]
Details

Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via  mod_rewrite or apache expressions that pass unvalidated request input.

This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63.

Note:  The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths.

The server offers limited protection against administrators directing the server to open UNC paths. Windows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication.

References

Affected packages

Git / github.com/apache/httpd

Affected ranges

Type
GIT
Repo
https://github.com/apache/httpd
Events
Introduced
da5873e80d6eee7a0838793bf68f1d0254745fbb
Fixed
7e926454793abd7d71b6afc8bd1ec1648752c6ad