CVE-2024-39884 [Medium] | Security Vulnerability in Http Server

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.25%	0.89%	+0.64%
2	2026-01-14	0.27%	0.25%	-0.02%
3	2026-01-04	—	0.27%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.25%

0.89%

+0.64%

2026-01-14

0.27%

0.25%

-0.02%

2026-01-04

—

0.27%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.2	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	2.5	3.6	134c704f-9b21-4f2e-91b3-4a467353bcc0

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.2

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:N): Service keeps running; no real outage angle.

2.5

3.6

134c704f-9b21-4f2e-91b3-4a467353bcc0

OS Trackers for CVE-2024-39884

vendor	priority	summary	link
`alpine`	—	CVE-2024-39884: 1 source package rows (apache2); 7 state rows across 7 repos (3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 7, open 0.	https://security.alpinelinux.org/vuln/CVE-2024-39884
`debian`	unimportant	CVE-2024-39884 unimportant priority: Debian including 1 source packages (apache2), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2024-39884
`gentoo`	low	CVE-2024-39884: 1 GLSA(s) (202409-31), 1 atom(s) (www-servers/apache); latest impact low.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2024-39884
`redhat`	high	—	https://access.redhat.com/security/cve/CVE-2024-39884
`suse`	medium	CVE-2024-39884 severity moderate: SUSE including 299 source package names (2.8:apache2-utils-2.4.58-150600.5.23.1, 4.3.13.9.57.26:apache2-2.4.51-150400.6.34.1, …), 503 product×package rows across 73 product lines (Container bci/php-apache, Container suse/manager/4.3/proxy-httpd, … (73 product lines)): Fixed 252, Known Affected 231, Known Not Affected 20.	https://www.suse.com/security/cve/CVE-2024-39884/
`ubuntu`	medium	CVE-2024-39884 medium priority: Ubuntu including 1 source packages (apache2), 11 status rows across 11 suites (bionic, focal, jammy, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): released 8, needs-triage 3.	https://ubuntu.com/security/CVE-2024-39884

Affected software / configurations for CVE-2024-39884

Vendor	Product	Version	Raw CPE
apache	http_server	2.4.60	cpe:2.3:a:apache:http_server:2.4.60:::::::*
netapp	ontap_tools	10	cpe:2.3:a:netapp:ontap_tools:10:::::vmware_vsphere::

References for CVE-2024-39884

URL	Tags
http://www.openwall.com/lists/oss-security/2024/07/17/6	Mailing List
https://httpd.apache.org/security/vulnerabilities_24.html	Vendor Advisory
https://security.netapp.com/advisory/ntap-20240712-0002/	Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/07/03/8	Mailing List

URL

CVE-2024-39884 | Apache HTTP Server: source code disclosure with handlers configured via AddType

Exploit prediction scoring system (EPSS) score for CVE-2024-39884

Common vulnerability scoring system (CVSS) metrics for CVE-2024-39884

Weakness enumeration for CVE-2024-39884

OS Trackers for CVE-2024-39884

Affected software / configurations for CVE-2024-39884

References for CVE-2024-39884