CVE-2023-38709: Apache HTTP Server: HTTP response splitting
Published Apr 4, 2024
·Updated
Accounts. The issue was addressed with improved checks.
Credit
Yeto, IES Red Team(ByteDance), Linwz(DEVCORE), Csaba Fitzl@@theevilbit(Kandji), Mickey Jin@@patch1t, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), CertiK SkyFall Team, D4m0n, Amir Bazine(CrowdStrike Counter Adversary Operations), Karsten König(CrowdStrike Counter Adversary Operations), CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466, an anonymous researcher, Yann Gascuel(Alter Solutions), w0wbox, CVE-2023-6277, CVE-2023-52356, Yisumi, Junsung Lee(Trend Micro Zero Day Initiative), (CrowdStrike Counter Adversary Operations), Gandalf4a, Wang Yu(Cyberserval), Ye Zhang@@VAR10CK(Baidu Security), sqrtpwn, Minghao Lin(Zhejiang University), Jiaxun Zhu(Zhejiang University), Patrick Wardle(DoubleYou), CVE-2024-40805, Rodolphe BRUNETTI@@eisw0lf, Adam M., CVE-2024-6387, Pedro Tôrres@@t0rr3sp3dr0, Zhongquan Li@@Guluisacat(Dawn Security Lab of JingDong), Mickey Jin@@patch1t(Kandji), (Kandji), Mateen Alinaghi, Claudio Bozzato(Cisco Talos), Francesco Benvenuto(Cisco Talos), Csaba Fitzl@@theevilbit(Offensive Security), Yadhu Krishna M(Cyber Security At Suma Soft Pvt), Narendra Bhati(Cyber Security At Suma Soft Pvt), Manager(Cyber Security At Suma Soft Pvt), Pune (India), Wojciech Regula(SecuRing), (Dawn Security Lab of JingDong), Kirin@@Pwnrin, Joshua Jones, Jiwon Park, Marcio Almeida(Tanto Security), Bistrit Dahal, Srijan Poudel, Jiahui Hu (梅零落)(NorthSea), Meng Zhang (鲸落)(NorthSea), Arsenii Kostromin (0x3c3e), ajajfxhj, Huang Xilin(Ant Group Light), Maksymilian Motyl, Johan Carlsson (joaxcar), Seunghyun Lee@@0x10n(KAIST Hacking Lab working with Trend Micro Zero Day Initiative), CVE-2024-4558, Matthew Butler, Gary Kwong, Andreas Jaegersberger, Ro Achterberg
Affected Software
21 affected componentsFixes available
Apple macOS Sonoma<14.6
14.6
debian/apache2
2.4.62-1~deb11u12.4.62-1~deb11u22.4.62-1~deb12u22.4.62-32.4.63-1
redhat/httpd<2.4.59
2.4.59
IBM R10.0<=10.1.3.0
10.0.245.0
IBM R9.4<=89.42.18.0
89.41.25.0
89.40.83.0
IBM R9.3<=89.33.52.0
89.33.45.0
Apache HTTP Server<2.4.59
Debian Debian Linux=10.0
Fedoraproject Fedora=38
Fedoraproject Fedora=39
Fedoraproject Fedora=40
NetApp Ontap=9
NetApp Ontap Tools Vmware Vsphere=10
Broadcom Fabric Operating System
Apple macOS<14.6
F5 BIG-IP>=17.1.0<=17.1.2
17.1.2.2
F5 BIG-IP>=16.1.0<=16.1.5
16.1.6
F5 BIG-IP>=15.1.0<=15.1.10
F5 F5OS-A=1.7.0, >=1.5.1<=1.5.2
F5 F5OS-C>=1.6.0<=1.6.2
F5 Traffix SDC=5.2.0, =5.1.0
Remediation
Patch Available
Event History
Apr 4, 2024
Data Sourced
via Red Hat·06:52 PM
DescriptionSeverityAffected Software
CVE Published
via MITRE·07:19 PM
Data Sourced
via MITRE·07:19 PM
DescriptionWeakness
Data Sourced
via NVD·08:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·08:15 PM
Affected Software
May 24, 2024
Advisory Published
via F5·05:08 PM
Data Sourced
via F5·05:08 PM
DescriptionSeverityWeaknessAffected Software
Jun 26, 2024
Data Sourced
via Launchpad·05:58 PM
Description
Sep 14, 2024
Data Sourced
via Ubuntu·06:09 PM
RemedyDescriptionSeverityAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2023-38709?
CVE-2023-38709 has a medium severity rating due to its potential for exploitation via HTTP response splitting attacks.
2
How do I fix CVE-2023-38709?
To fix CVE-2023-38709, update Apache HTTP Server to version 2.4.62 or later, or apply specific patches as per your vendor's guidance.
3
Which software is affected by CVE-2023-38709?
CVE-2023-38709 affects various software including Apache HTTP Server versions up to 2.4.59, F5 BIG-IP, and specific versions of IBM Aspera Console.
4
What type of attack can exploit CVE-2023-38709?
CVE-2023-38709 can be exploited through HTTP response splitting attacks allowing attackers to inject arbitrary HTTP headers.
5
What is the impact of CVE-2023-38709 on affected systems?
The impact of CVE-2023-38709 can lead to improper response handling, potentially exposing sensitive data via split responses.