What is the CVSS score of CVE-2024-47252?

CVE-2024-47252 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of TLS are affected by CVE-2024-47252?

Apache HTTP Server versions 2.4.63 and earlier contain a log injection vulnerability that allows attackers to manipulate server log files by injecting escape characters through SSL/TLS connections.. A patch is available.

Is there a public PoC exploit available for CVE-2024-47252?

Yes, a public proof-of-concept exploit is available for CVE-2024-47252. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2024-47252?

Within 24 hours: Identify all Apache HTTP Server instances running version 2.4.63 or earlier with CustomLog directives using SSL variables (%{varname}x or %{varname}c). Within 7 days: Implement compensating controls by disabling SSL variable logging if not operationally critical, or restrict untrusted client connections via network segmentation. Within 30 days: Monitor vendor security advisories for patch availability and prepare upgrade testing in non-production environments; establish log monitoring for suspicious escape character patterns as interim detection.

TLS CVE-2024-47252

EUVD-2024-54773 HIGH

Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)

2025-07-10 security@apache.org

Apache Information Disclosure TLS Red Hat Http Server Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2024-54773

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

CVE Published

Jul 10, 2025 - 17:15 nvd

HIGH 7.5

DescriptionNVD

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.

In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.

AnalysisAI

CVE-2024-47252 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Technical ContextAI

Vulnerability type not specified by vendor. CVSS 7.5 indicates high severity.

RemediationAI

Monitor vendor channels for patch availability.

More from same product – last 7 days

CVE-2025-48977 HIGH This Week

8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

CVE-2026-42782 HIGH This Week

7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig

CVE-2026-43827 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

Vendor StatusVendor

Ubuntu

Priority: Medium

apache2

Release	Status	Version
trusty	needs-triage	-
upstream	released	2.4.64-1
jammy	released	2.4.52-1ubuntu4.15
noble	released	2.4.58-1ubuntu8.7
plucky	released	2.4.63-1ubuntu1.1
bionic	released	2.4.29-1ubuntu4.27+esm6
focal	released	2.4.41-4ubuntu3.23+esm2
xenial	released	2.4.18-2ubuntu3.17+esm16
questing	released	2.4.64-1ubuntu2

USN-7639-1 USN-7639-2

Debian

apache2

Release	Status	Fixed Version	Urgency
bullseye	fixed	2.4.65-1~deb11u1	-
bullseye (security)	fixed	2.4.66-1~deb11u1	-
bookworm	fixed	2.4.65-1~deb12u1	-
bookworm (security)	vulnerable	2.4.62-1~deb12u2	-
trixie	fixed	2.4.66-1~deb13u2	-
forky, sid	fixed	2.4.66-8	-
(unstable)	fixed	2.4.64-1	-

DLA-4270-1

CVE-2024-47252 vulnerability details – vuln.today

Back

TLS CVE-2024-47252

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code