CVE-2023-38709

CVSS v3.1

7.3

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions through 2.4.58

Description The issue is related to faulty input validation in the core of Apache, allowing malicious or exploitable backend/content generators to split HTTP responses. This can be exploited by a remote attacker to perform HTTP response splitting attacks. The vulnerability is associated with the failure to handle CRLF sequences in HTTP headers.

Recommendations For Apache HTTP Server versions through 2.4.58, update to a version newer than 2.4.58 to resolve the issue. As a temporary workaround, consider restricting access to vulnerable backend or content generators to minimize the risk of exploitation. Avoid using HTTP headers that may contain malicious CRLF sequences until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1284CWE-113

Related Identifiers

ALSA-2024:4197

ALSA-2024:9306

ALT-PU-2024-5986

ALT-PU-2024-5990

ALT-PU-2024-6193

ALT-PU-2024-6194

AZL-38605

AZL-39190

BDU:2024-03101

BIT-APACHE-2023-38709

CESA-2024_4197

CVE-2023-38709

DLA-3818-1

DSA-5662-1

INFSA-2024_4197

INFSA-2024_9306

MGASA-2024-0118

OESA-2024-1553

OPENSUSE-SU-2024_1963-1

RHSA-2024:4197

RHSA-2024:6927

RHSA-2024:9306

RHSA-2024_4197

RHSA-2024_9306

RLSA-2024:4197

RLSA-2024:9306

SUSE-SU-2024:1627-1

SUSE-SU-2024:1788-1

SUSE-SU-2024:1868-1

SUSE-SU-2024:1963-1

USN-6729-1

USN-6729-2

USN-6729-3

USN-8338-1

Affected Products

Alt Linux

Almalinux

Apache Http Server

Astra Linux

Centos

Linuxmint

Apple Macos

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

CVE-2023-38709

Weakness Enumeration

Related Identifiers

Affected Products

References · 123