CVE-2023-38709 : Faulty input validation in the core of Apache allows malicious or exploitable ba

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.

Published 2024-04-04 19:19:35

Updated 2024-11-05 20:35:11

Source Apache Software Foundation

View at NVD, CVE.org

Products affected by CVE-2023-38709

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2023-38709

EPSS FAQ

45.26%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 97 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-38709

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	3.9	3.4	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-11-05
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low
6.8	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N	N/A	N/A	RedHat-CVE-2023-38709	2024-04-04
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Changed Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2023-38709

CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

References for CVE-2023-38709

https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html

[SECURITY] [DLA 3818-1] apache2 security update

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2024/04/04/3

oss-security - CVE-2023-38709: Apache HTTP Server: HTTP response splitting
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/

[SECURITY] Fedora 40 Update: httpd-2.4.59-2.fc40 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/

[SECURITY] Fedora 39 Update: httpd-2.4.59-2.fc39 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20240415-0013/

April 2024 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security

CVEs referencing this url
https://httpd.apache.org/security/vulnerabilities_24.html

httpd 2.4 vulnerabilities - The Apache HTTP Server Project

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/

[SECURITY] Fedora 38 Update: httpd-2.4.59-2.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://support.apple.com/kb/HT214119

About the security content of macOS Sonoma 14.6 - Apple Support

CVEs referencing this url
http://seclists.org/fulldisclosure/2024/Jul/18

Full Disclosure: APPLE-SA-07-29-2024-4 macOS Sonoma 14.6

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-38709

Products affected by CVE-2023-38709

Exploit prediction scoring system (EPSS) score for CVE-2023-38709

CVSS scores for CVE-2023-38709

CWE ids for CVE-2023-38709

References for CVE-2023-38709