Monthly
HTTP response splitting in Apache HTTP Server 2.4.0 through 2.4.66 allows remote attackers to inject arbitrary HTTP headers and content when the server acts as a proxy to untrusted or compromised backend servers, enabling cache poisoning, session fixation, and cross-site scripting attacks. CVSS 6.5 (moderate) with network attack vector, no authentication required, and confirmed automatable exploitation per CISA SSVC framework. Vendor-released patch: version 2.4.67.
HTTP response splitting in Apache HTTP Server 2.4.0 through 2.4.66 allows remote attackers to inject arbitrary HTTP headers and content when the server acts as a proxy to untrusted or compromised backend servers, enabling cache poisoning, session fixation, and cross-site scripting attacks. CVSS 6.5 (moderate) with network attack vector, no authentication required, and confirmed automatable exploitation per CISA SSVC framework. Vendor-released patch: version 2.4.67.