PT-2023-2262 · Apache+10 · Apache Http Server+10

Dimas Fariski Setyawan Putra

+1

·

Published

2023-01-29

·

Updated

2025-05-15

·

CVE-2023-27522

CVSS v2.0

9.0

High

VectorAV:N/AC:L/Au:N/C:P/I:C/A:P
Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.30 through 2.4.55 uWSGI PyPI package versions prior to 2.0.22
Description The issue is related to HTTP Response Smuggling vulnerability in Apache HTTP Server via mod proxy uwsgi. Special characters in the origin response header can truncate/split the response forwarded to the client. This can allow a remote attacker to perform an HTTP request smuggling attack.
Recommendations For Apache HTTP Server versions 2.4.30 through 2.4.55, update to a version that includes the fix for this issue. For uWSGI PyPI package versions prior to 2.0.22, update to version 2.0.22 or later. As a temporary workaround, consider disabling the mod proxy uwsgi module until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation.

Exploit

Fix

HTTP Request/Response Smuggling

Weakness Enumeration

CWE-444

Related Identifiers

ALSA-2023:5050
ALSA-2023:6403
ALT-PU-2023-1402
ALT-PU-2023-1437
ALT-PU-2023-1452
ALT-PU-2023-2055
ALT-PU-2023-7559
ALT-PU-2024-10573
ALT-PU-2024-10796
ALT-PU-2024-10861
AZL-25606
BDU:2023-02021
BIT-APACHE-2023-27522
CESA-2023_5050
CVE-2023-27522
DLA-3401-1
DSA-5376-1
GHSA-VCPH-37MH-FQRH
MGASA-2023-0100
OESA-2023-1161
OPENSUSE-SU-2024:12776-1
OPENSUSE-SU-2024:13346-1
RHSA-2023:4629
RHSA-2023:5049
RHSA-2023:5050
RHSA-2023:6403
RHSA-2023_5050
RHSA-2023_6403
RHSA-2024:4504
RLSA-2023:5050
SUSE-SU-2023:0764-1
SUSE-SU-2023:0799-1
SUSE-SU-2023:1573-1
SUSE-SU-2023:1658-1
USN-5942-1

Affected Products

Alt Linux
Almalinux
Apache Http Server
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu