Advisory 2024-09/01 Apache HTTP Server Vulnerabilities

Vulnerability typeServer-side request forgery (SSRF), denial of service, improper encoding or escaping of output, insufficient information, null pointer dereference, improper input validation
Severity factors

These vulnerabilities have low to high to critical severity ratings for users who are affected.

FileCloud is updating Apache HTTP Server to version 2.4.62 to fix these vulnerabilities.

Versions affectedFileCloud versions earlier than 23.241.1 are affected.
Version fixedFileCloud version 23.241.1 and later

Description

In Apache HTTP Server versions below 2.4.60:

  • On Windows, SSRF may allow hash leakage
  • Request URLs with incorrect encoding may bypass authentication
  • Script execution may occur in restricted areas
  • A weakness in mod_rewrite may allow arbitrary code execution
  • Backend response headers may enable SSRF or local script execution
  • Crafted requests may cause denial of service attacks
  • Mod_rewrite may enable SSRF
  • Null pointer dereference may cause the server to crash

Fix

FileCloud version 23.241.1.27146 upgrades Apache HTTP Server to version 2.4.62, which does not include these vulnerabilities.

What you should do to fix this vulnerability

  • If you are using FileCloud Server, we recommended that you update to the latest version, which is 23.241.1.27146 or greater. 
  • If you are using FileCloud Online, your site has already been updated to the latest version.

If you have any questions about this advisory, please contact FileCloud support.