CVE-2024-24795

Опубликовано: 04 апр. 2024

Источник: nvd

CVSS3: 6.3

EPSS Низкий

Описание

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

Users are recommended to upgrade to version 2.4.59, which fixes this issue.

Ссылки

https://httpd.apache.org/security/vulnerabilities_24.html
Release Notes
Vendor Advisory
http://seclists.org/fulldisclosure/2024/Jul/18
Mailing List
http://www.openwall.com/lists/oss-security/2024/04/04/5
Mailing List
https://httpd.apache.org/security/vulnerabilities_24.html
Release Notes
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/05/msg00014.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20240415-0013/
Third Party Advisory
https://support.apple.com/kb/HT214119
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Версия от 2.4.0 (включая) до 2.4.59 (исключая)

Конфигурация 2

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*

Конфигурация 4

Одно из

cpe:2.3:a:netapp:ontap:9:*:*:*:*:*:*:*

cpe:2.3:a:netapp:ontap_tools:10:*:*:*:*:vmware_vsphere:*:*

cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*

Конфигурация 5

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Версия до 14.6 (исключая)

EPSS

Процентиль: 78%

0.01219

Низкий

6.3 Medium

CVSS3

Дефекты

CWE-113

CWE-444

Связанные уязвимости

CVE-2024-24795

CVSS3: 6.3

ubuntu

больше 1 года назад

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.

CVE-2024-24795

CVSS3: 4

redhat

больше 1 года назад

CVE-2024-24795

CVSS3: 6.3

msrc

9 месяцев назад

Описание отсутствует

CVE-2024-24795

CVSS3: 6.3

debian

больше 1 года назад

HTTP Response splitting in multiple modules in Apache HTTP Server allo ...

SUSE-SU-2024:3861-1

suse-cvrf

10 месяцев назад

Security update for uwsgi

EPSS

Процентиль: 78%

0.01219

Низкий

6.3 Medium

CVSS3

Дефекты

CWE-113

CWE-444