CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules
Published Apr 4, 2024
·Updated
Accounts. The issue was addressed with improved checks.
Credit
Yeto, IES Red Team(ByteDance), Linwz(DEVCORE), Csaba Fitzl@@theevilbit(Kandji), Mickey Jin@@patch1t, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), CertiK SkyFall Team, D4m0n, Amir Bazine(CrowdStrike Counter Adversary Operations), Karsten König(CrowdStrike Counter Adversary Operations), CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466, an anonymous researcher, Yann Gascuel(Alter Solutions), w0wbox, CVE-2023-6277, CVE-2023-52356, Yisumi, Junsung Lee(Trend Micro Zero Day Initiative), (CrowdStrike Counter Adversary Operations), Gandalf4a, Wang Yu(Cyberserval), Ye Zhang@@VAR10CK(Baidu Security), sqrtpwn, Minghao Lin(Zhejiang University), Jiaxun Zhu(Zhejiang University), Patrick Wardle(DoubleYou), CVE-2024-40805, Rodolphe BRUNETTI@@eisw0lf, Adam M., CVE-2024-6387, Pedro Tôrres@@t0rr3sp3dr0, Zhongquan Li@@Guluisacat(Dawn Security Lab of JingDong), Mickey Jin@@patch1t(Kandji), (Kandji), Mateen Alinaghi, Claudio Bozzato(Cisco Talos), Francesco Benvenuto(Cisco Talos), Csaba Fitzl@@theevilbit(Offensive Security), Yadhu Krishna M(Cyber Security At Suma Soft Pvt), Narendra Bhati(Cyber Security At Suma Soft Pvt), Manager(Cyber Security At Suma Soft Pvt), Pune (India), Wojciech Regula(SecuRing), (Dawn Security Lab of JingDong), Kirin@@Pwnrin, Joshua Jones, Jiwon Park, Marcio Almeida(Tanto Security), Bistrit Dahal, Srijan Poudel, Jiahui Hu (梅零落)(NorthSea), Meng Zhang (鲸落)(NorthSea), Arsenii Kostromin (0x3c3e), ajajfxhj, Huang Xilin(Ant Group Light), Maksymilian Motyl, Johan Carlsson (joaxcar), Seunghyun Lee@@0x10n(KAIST Hacking Lab working with Trend Micro Zero Day Initiative), CVE-2024-4558, Matthew Butler, Gary Kwong, Andreas Jaegersberger, Ro Achterberg
Affected Software
19 affected componentsFixes available
IBM Aspera Console<=3.4.0 - 3.4.2 PL9
Apple macOS Sonoma<14.6
14.6
debian/apache2
2.4.62-1~deb11u12.4.62-1~deb11u22.4.62-1~deb12u22.4.63-1
debian/uwsgi<=2.0.19.1-7.1, <=2.0.21-5.1, <=2.0.28-8
Apache HTTP Server>=2.4.0<2.4.59
Debian Debian Linux=10.0
Fedoraproject Fedora=38
Fedoraproject Fedora=39
Fedoraproject Fedora=40
NetApp Ontap=9
NetApp Ontap Tools Vmware Vsphere=10
Broadcom Fabric Operating System
Apple macOS<14.6
redhat/httpd<2.4.59
2.4.59
F5 BIG-IP>=17.1.0<=17.1.2
17.5.017.1.2.2
F5 BIG-IP>=16.1.0<=16.1.5
F5 BIG-IP>=15.1.0<=15.1.10
F5 F5OS-A>=1.8.0<=1.8.3, =1.7.0, >=1.5.0<=1.5.4, =1.4.0, >=1.3.0<=1.3.2
F5 F5OS-C>=1.8.0<=1.8.2, >=1.6.0<=1.6.4, >=1.5.0<=1.5.1
Remediation
Patch Available
Event History
Apr 4, 2024
Data Sourced
via Red Hat·07:04 PM
DescriptionSeverityAffected Software
CVE Published
via MITRE·07:20 PM
Data Sourced
via MITRE·07:20 PM
DescriptionWeakness
Data Sourced
via NVD·08:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·08:15 PM
Affected Software
May 8, 2024
Advisory Published
via F5·05:23 AM
Data Sourced
via F5·05:23 AM
DescriptionSeverityWeaknessAffected Software
Jun 26, 2024
Data Sourced
via Launchpad·05:58 PM
Description
Sep 14, 2024
Data Sourced
via Ubuntu·06:09 PM
RemedyDescriptionSeverityAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2024-24795?
CVE-2024-24795 is a critical vulnerability that allows for HTTP response splitting attacks.
2
How do I fix CVE-2024-24795?
To mitigate CVE-2024-24795, update affected software packages to the latest versions as indicated by their respective vendors.
3
Which versions are affected by CVE-2024-24795?
CVE-2024-24795 affects multiple versions of Apache HTTP Server and related products, particularly those below specified patch levels.
4
Can CVE-2024-24795 be exploited remotely?
Yes, CVE-2024-24795 can be exploited remotely by an attacker to inject arbitrary HTTP headers.
5
What are the potential impacts of CVE-2024-24795?
Exploitation of CVE-2024-24795 could allow attackers to conduct malicious actions, such as redirecting users or capturing sensitive information.