Apache HTTP Server Fixes HTTP Desynchronization Vulnerability
CVE-2024-24795

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 4 April 2024

What is CVE-2024-24795?

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

Users are recommended to upgrade to version 2.4.59, which fixes this issue.

Affected Version(s)

Apache HTTP Server 2.4.0 <= 2.4.58

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2024

Credit

Keran Mu, Tsinghua University and Zhongguancun Laboratory.

Jianjun Chen, Tsinghua University and Zhongguancun Laboratory.