CVE-2024-47252NVD

Vulnerability Summary

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.

In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.

Severity Level

HIGH(7.5)

Published Date

Jul 10, 2025

Last Modified

Jul 29, 2025

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-150: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityHigh

IntegrityNone

AvailabilityNone

External References

https://httpd.apache.org/security/vulnerabilities_24.html

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2024-47252NVD

Vulnerability Summary

External References