Malicious Input Validation Flaw Affects Apache HTTP Server
CVE-2023-38709

7.3HIGH

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 4 April 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A significant input validation flaw exists in the core functionality of Apache HTTP Server, specifically impacting versions up to 2.4.58. This vulnerability enables malicious actors or backend content generators to exploit this weakness, leading to the potential for HTTP response splitting. Such an attack could allow for various security implications, including session fixation and cache poisoning, thereby compromising the integrity and confidentiality of affected systems. Organizations using the impacted versions should act swiftly to mitigate this vulnerability and enhance the security posture of their web servers.

Affected Version(s)

Apache HTTP Server 0 <= 2.4.58

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

apache-vulnerability-testing
Created by mrmtwoj

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

https://security.netapp.com/advisory/ntap-20240415-0013/

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Oct 6, 2024
👾
Exploit known to exist
Oct 6, 2024
Vulnerability published
Apr 4, 2024

Credit

Orange Tsai (@orange_8361) from DEVCORE