CVE-2024-24795: HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to…

medium6.3CVSS 3.1

AVNACLPRNUIRSUCLILAL

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.

Affected

21 ranges

Vendor	Product	Version range	Fixed in
apache	http_server	>= 2.4.0 < 2.4.59	2.4.59
apache_software_foundation	apache_http_server	2.4.0 – 2.4.58	—
apple	macos	< 14.6	14.6
apple	macos_sonoma	—	—
debian	apache2	< apache2 2.4.59-1~deb12u1 (bookworm)	apache2 2.4.59-1~deb12u1 (bookworm)
debian	debian_linux	—	—
debian	uwsgi	< apache2 2.4.59-1~deb12u1 (bookworm)	apache2 2.4.59-1~deb12u1 (bookworm)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
msrc	azl3_httpd_2.4.58-4_on_azure_linux_3.0	—	—
msrc	azl3_httpd_2.4.61-1_on_azure_linux_3.0	—	—
msrc	azure_linux_3.0_arm	—	—
msrc	azure_linux_3.0_x64	—	—
msrc	cbl2_httpd_2.4.58-1_on_cbl_mariner_2.0	—	—
msrc	cbl2_httpd_2.4.59-1_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_2.0_arm	—	—
msrc	cbl_mariner_2.0_x64	—	—
netapp	ontap	—	—
netapp	ontap_tools	—	—
ubuntu	apache2	—	—

CVSS provenance

nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

osv7.3HIGH