CVE-2023-38709

CWE-1284 CWE-444 — HTTP Request Smuggling CWE-20 — Improper Input Validation CWE-11317 documents10 sources

Severity

7.3HIGH

EPSS

3.3%

top 12.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apple Macos Apache Software Foundation Apache Http Server +4 more

Timeline

PublishedApr 4

Latest updateJul 14

Description

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages6 packages

▶NVDapache/http_server< 2.4.59

▶CVEListV5apache_software_foundation/apache_http_server2.4.0 — 2.4.63+1

▶Alpineapache2< 2.4.59-r0+7

▶Debianapache2< 2.4.59-1~deb11u1+3

▶Ubuntuapache2< 2.4.41-4ubuntu3.17+4

Also affects: Ontap 9, Ontap Tools 10, Debian Linux 10.0, Fedora 38, 39, 40

🔴Vulnerability Details

OSV

apache2 vulnerabilities↗2024-04-29

▶

OSV

apache2 vulnerabilities↗2024-04-17

▶

OSV

apache2 vulnerabilities↗2024-04-11

▶

CVEList

Apache HTTP Server: HTTP response splitting↗2024-04-04

▶

OSV

CVE-2023-38709: Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses↗2024-04-04

▶

📋Vendor Advisories

Red Hat

httpd: incomplete fix for CVE-2023-38709↗2025-07-14

▶

Apple

CVE-2023-38709: macOS Sonoma 14.6↗2024-07-29

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-04-29

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-04-17

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-04-11

▶

💬Community

HackerOne

moderate: Apache HTTP Server: HTTP response splitting (CVE-2023-38709)↗2024-07-13

▶