CVE-2016-8743: Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers…

high7.5CVSS 3.1

AVNACLPRNUINSUCNIHAN

Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.

Affected

28 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	http_server	2.2.0 – 2.2.31	—
apache	http_server	2.4.1 – 2.4.23	—
apache_software_foundation	apache_http_server	—	—
apple	macos_high_sierra	—	—
apple	macos_high_sierra_10.13.1_security_update_2017-001_sierra_and_security_update_20	—	—
apple	macos_sierra_10.12.4_security_update_2017-001_el_capitan_and_security_update_201	—	—
debian	apache2	< apache2 2.4.25-1 (bookworm)	apache2 2.4.25-1 (bookworm)
debian	debian_linux	—	—
debian	debian_linux	—	—
redhat	enterprise_linux_desktop	—	—
redhat	enterprise_linux_desktop	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_server	—	—
redhat	enterprise_linux_server	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_tus	—	—
redhat	enterprise_linux_server_tus	—	—
redhat	enterprise_linux_server_tus	—	—

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

osv7.5HIGH