CVE-2024-24795

CWE-113 CWE-444 — HTTP Request Smuggling15 documents9 sources

Severity

6.3MEDIUM

EPSS

1.1%

top 21.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apple Macos Apache Software Foundation Apache Http Server +4 more

Timeline

PublishedApr 4

Latest updateJul 29

Description

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages6 packages

▶NVDapache/http_server2.4.0 — 2.4.59

▶CVEListV5apache_software_foundation/apache_http_server2.4.0 — 2.4.58

▶Alpineapache2< 2.4.59-r0+7

▶Debianapache2< 2.4.59-1~deb11u1+3

▶Ubuntuapache2< 2.4.41-4ubuntu3.17+1

Also affects: Ontap 9, Ontap Tools 10, Debian Linux 10.0, Fedora 38, 39, 40

🔴Vulnerability Details

OSV

apache2 vulnerabilities↗2024-04-29

▶

OSV

apache2 vulnerabilities↗2024-04-17

▶

OSV

apache2 vulnerabilities↗2024-04-11

▶

CVEList

Apache HTTP Server: HTTP Response Splitting in multiple modules↗2024-04-04

▶

OSV

CVE-2024-24795: HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applicati↗2024-04-04

▶

📋Vendor Advisories

Apple

CVE-2024-24795: macOS Sonoma 14.6↗2024-07-29

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-04-29

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-04-17

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-04-11

▶

Microsoft

Apache HTTP Server: HTTP Response Splitting in multiple modules↗2024-04-09

▶