CVE-2024-47252

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-47252
Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://httpd.apache.org/security/vulnerabilities_24.html Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
History

29 Jul 2025, 15:15

Type Values Removed Values Added
References () https://httpd.apache.org/security/vulnerabilities_24.html - () https://httpd.apache.org/security/vulnerabilities_24.html - Vendor Advisory
First Time Apache http Server
Apache
CPE cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

15 Jul 2025, 20:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5

15 Jul 2025, 13:24

Type Values Removed Values Added
Summary
  • (es) Un escape insuficiente de los datos proporcionados por el usuario en mod_ssl en Apache HTTP Server 2.4.63 y versiones anteriores permite que un cliente SSL/TLS no confiable inserte caracteres de escape en los archivos de registro en algunas configuraciones. En una configuración de registro donde se usa CustomLog con "%{varname}x" o "%{varname}c" para registrar variables proporcionadas por mod_ssl, como SSL_TLS_SNI, ni mod_log_config ni mod_ssl realizan ningún escape, y los datos no saneados proporcionados por el cliente pueden aparecer en los archivos de registro.

10 Jul 2025, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-10 17:15

Updated : 2025-07-29 15:15

NVD link : CVE-2024-47252

Mitre link : CVE-2024-47252

CVE.ORG link : CVE-2024-47252

JSON object : View

Products Affected

apache

  • http_server
CWE
CWE-150

Improper Neutralization of Escape, Meta, or Control Sequences