Apache Software Foundation fixes source code disclosure flaw in Apache HTTP server
Take action: A fairly serious flaw if you are running Apache HTTP Server version 2.4.60. The exploit scenario is not published, so you have some time to plan a patch. But don't ignore this flaw, someone will eventually publish an exploit and your server will be immediately targeted by automated attack scripts.
Learn More
The Apache Software Foundation has addressed a vulnerability in its widely-used Apache HTTP Server, tracked as CVE-2024-39884 (CVSS score 9.1).
This vulnerability is a source code disclosure flaw caused by a regression in handling legacy content-type configurations in Apache HTTP Server version 2.4.60. For instance, PHP scripts may be served as plain text instead of being interpreted, exposing sensitive server-side code. It allows unauthorized users to access and view the source code of files that should be processed, such as server-side scripts and configuration files.
This exposure can lead to further security breaches if sensitive data is disclosed (for example database credentials or API keys).
The Apache Foundation strongly advises users to upgrade to Apache HTTP Server version 2.4.61.
