CVE-2023-38709
Apache HTTP Server: HTTP response splitting
In short
Apache HTTP Server fails to properly validate certain inputs, allowing attackers to manipulate HTTP responses by injecting extra headers or content. This can lead to cache poisoning, session hijacking, or tricking users into seeing malicious content.
Technical detail
Improper input validation in Apache's core allows backend or content generators to inject control characters that split HTTP responses, enabling HTTP response splitting attacks. An attacker with control over backend-generated content can inject headers or payload boundaries to poison caches or perform client-side attacks against end users.
Summary generated and translated by AI from the official description.
Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.
This issue affects Apache HTTP Server: through 2.4.58.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected products
Apache Software Foundation · Apache HTTP ServerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://seclists.org/fulldisclosure/2024/Jul/18https://httpd.apache.org/security/vulnerabilities_24.htmlhttps://lists.debian.org/debian-lts-announce/2024/05/msg00013.htmlhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/https://security.netapp.com/advisory/ntap-20240415-0013/https://support.apple.com/kb/HT214119http://www.openwall.com/lists/oss-security/2024/04/04/3http://www.openwall.com/lists/oss-security/2025/07/10/2http://www.openwall.com/lists/oss-security/2025/07/10/3