CVE-2023-27522

CWE-444 — HTTP Request Smuggling CWE-11313 documents10 sources

Severity

7.5HIGH

EPSS

0.8%

top 26.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Unbit Uwsgi Apache Software Foundation Apache Http Server +1 more

Timeline

PublishedMar 7

Latest updateMar 23

Description

HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶NVDapache/http_server2.4.30 — 2.4.56

▶CVEListV5apache_software_foundation/apache_http_server2.4.30 — 2.4.55

▶Alpineapache2< 2.4.56-r0+9

▶Debianapache2< 2.4.56-1~deb11u1+3

▶PyPIuWSGI< 2.0.22

Also affects: Debian Linux 10.0

🔴Vulnerability Details

OSV

apache2 vulnerabilities↗2023-03-09

▶

GHSA

Apache HTTP Server via mod_proxy_uwsgi HTTP response smuggling↗2023-03-07

▶

OSV

CVE-2023-27522: HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi↗2023-03-07

▶

CVEList

Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting↗2023-03-07

▶

OSV

Apache HTTP Server via mod_proxy_uwsgi HTTP response smuggling↗2023-03-07

▶

📋Vendor Advisories

Microsoft

Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting↗2023-03-14

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2023-03-09

▶

Red Hat

httpd: mod_proxy_uwsgi HTTP response splitting↗2023-03-07

▶

Debian

CVE-2023-27522: apache2 - HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi....↗2023

▶

Apache

Apache httpd: CVE-2023-27522↗

▶

💬Community

HackerOne

Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting (CVE-2023-27522)↗2023-03-23

▶