Member-only story
CVE-2024–40725 and CVE-2024–40898: Critical Vulnerabilities in Apache HTTP Server
Explore the details of CVE-2024–40725 and CVE-2024–40898, two critical vulnerabilities in Apache HTTP Server. Learn about the risks, affected versions, and mitigation strategies to protect your web servers.
Published in
6 min readJul 21, 2024
The Apache Software Foundation recently disclosed two critical vulnerabilities, CVE-2024–40725 and CVE-2024–40898, affecting versions 2.4.0 through 2.4.61 of the Apache HTTP Server.
The Apache HTTP Server, a cornerstone of many web infrastructures, is vulnerable to two significant threats:
- CVE-2024–40725: A partial fix regression for a previous issue (CVE-2024–39884), which allows source code disclosure via certain legacy content-type based configuration settings.
- CVE-2024–40898: An SSRF vulnerability in the
mod_rewritemodule on Windows systems, enabling attackers to extract NTML hashes through carefully crafted requests.
This article delves into the technical details, impacted products, and mitigation strategies to safeguard your web servers. Presentation of two PoCs from TAM-K592.
