CVE-2024-47252
BaseFortify
Publication date: 2025-07-10
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | http_server | From 2.4.0 (inc) to 2.4.64 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-150 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves insufficient escaping of user-supplied data in the mod_ssl module of Apache HTTP Server versions 2.4.63 and earlier. Specifically, when logging configurations use CustomLog with "%{varname}x" or "%{varname}c" to log variables from mod_ssl like SSL_TLS_SNI, no escaping is done. This allows an untrusted SSL/TLS client to insert escape characters into log files, potentially leading to log injection or manipulation.
How can this vulnerability impact me? :
The vulnerability can allow an attacker who connects via SSL/TLS to insert escape characters into server log files. This can lead to log file manipulation or injection attacks, which may obscure malicious activity, mislead administrators, or potentially exploit log processing tools that do not expect such characters.