CVE-2024-47252

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-47252

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47252.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-47252

Aliases

BIT-apache-2024-47252

Downstream

ALPINE-CVE-2024-47252

BELL-CVE-2024-47252

DEBIAN-CVE-2024-47252

DLA-4270-1

MINI-j77g-348h-hrxh

OESA-2025-2168

OESA-2025-2169

OESA-2025-2170

OESA-2025-2171

OESA-2025-2172

OESA-2025-2278

RHSA-2025:13680

RHSA-2025:14901

RHSA-2025:14902

RHSA-2025:14903

RHSA-2025:14997

RHSA-2025:15023

RHSA-2025:15095

RHSA-2025:15123

RHSA-2025:15516

RHSA-2025:15619

RHSA-2025:15684

RHSA-2025:15698

RLSA-2025:15095

RLSA-2025:15123

SUSE-SU-2025:02565-1

UBUNTU-CVE-2024-47252

USN-7639-1

USN-7639-2

Related

Published

2025-07-10T17:15:46Z

Modified

2025-09-06T13:01:27Z

Summary

[none]

Details

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.

In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by modssl such as SSLTLSSNI, no escaping is performed by either modlogconfig or modssl and unsanitized data provided by the client may appear in log files.

References

https://httpd.apache.org/security/vulnerabilities_24.html

Affected packages

Git / github.com/apache/httpd

Affected ranges

Type: GIT
Repo: https://github.com/apache/httpd
Events: Introduced

da5873e80d6eee7a0838793bf68f1d0254745fbb

Fixed

7e926454793abd7d71b6afc8bd1ec1648752c6ad