EUVD-2024-54775
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4Description
HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue. Users are recommended to upgrade to version 2.4.64, which fixes this issue.
Analysis
HTTP response splitting vulnerability in Apache HTTP Server core allows network-based attackers without authentication to inject arbitrary HTTP headers and content into responses by manipulating Content-Type headers in proxied or hosted applications, potentially enabling cache poisoning, session hijacking, or XSS attacks. Affects Apache HTTP Server versions prior to 2.4.64, with a critical note that the initial patch in 2.4.59 was incomplete. This is a regression/incomplete fix of CVE-2023-38709, indicating patch evasion and suggesting active exploitation interest.
Technical Context
HTTP response splitting (CWE-20: Improper Input Validation) occurs when attacker-controlled data is insufficiently sanitized before being included in HTTP response headers. In this case, the vulnerability exists in Apache HTTP Server's core handling of Content-Type response headers. The server fails to properly validate or sanitize header values, allowing an attacker to inject CRLF (carriage return/line feed) sequences into the Content-Type header, which terminates the header section and allows injection of arbitrary additional headers or response body content. This affects the HTTP/1.1 protocol implementation (CVE-2023-38709 correlation indicates a long-standing issue). The incomplete patch in version 2.4.59 demonstrates that input validation filtering was insufficient, requiring more comprehensive header sanitization in 2.4.64. Affected CPE likely includes cpe:2.3:a:apache:http_server:2.4.0:through:2.4.63:*:*:*:*:*:*
Affected Products
Apache HTTP Server (2.4.0 through 2.4.63)
Remediation
patch: Upgrade to Apache HTTP Server version 2.4.64 or later immediately; details: This version includes the complete fix for HTTP response splitting in Content-Type header handling interim_mitigation: Implement mod_security or similar WAF rules to sanitize responses; details: Filter or block responses containing suspicious CRLF sequences in headers; monitor for header injection patterns interim_mitigation: Restrict proxied backend applications; details: Limit proxying to trusted internal services; sanitize all backend responses at the application layer if possible interim_mitigation: Implement response header validation; details: Use Apache directives to strip or rewrite potentially dangerous Content-Type header values if patch cannot be deployed immediately configuration: Review and harden Content-Type header policies; details: Ensure applications set explicit, safe Content-Type values and do not echo user input into response headers
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| trusty | needs-triage | - |
| upstream | released | 2.4.64-1 |
| jammy | released | 2.4.52-1ubuntu4.15 |
| noble | released | 2.4.58-1ubuntu8.7 |
| plucky | released | 2.4.63-1ubuntu1.1 |
| bionic | released | 2.4.29-1ubuntu4.27+esm6 |
| focal | released | 2.4.41-4ubuntu3.23+esm2 |
| xenial | released | 2.4.18-2ubuntu3.17+esm16 |
| questing | released | 2.4.64-1ubuntu2 |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 2.4.65-1~deb11u1 | - |
| bullseye (security) | fixed | 2.4.66-1~deb11u1 | - |
| bookworm | fixed | 2.4.65-1~deb12u1 | - |
| bookworm (security) | vulnerable | 2.4.62-1~deb12u2 | - |
| trixie | fixed | 2.4.66-1~deb13u2 | - |
| forky, sid | fixed | 2.4.66-8 | - |
| (unstable) | fixed | 2.4.64-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today