Description

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.

INFO

Published Date :

2025-07-10T16:55:20.013Z

Last Modified :

2025-11-04T21:08:59.176Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2024-47252 vulnerability.

Vendors Products
Apache
  • Apache Http Server
  • Http Server
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-47252.

URL Resource
http://www.openwall.com/lists/oss-security/2025/07/10/2 cve-icon
http://www.openwall.com/lists/oss-security/2025/07/10/6 cve-icon
https://httpd.apache.org/security/vulnerabilities_24.html cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2025/08/msg00009.html cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-47252 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-47252 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact