CVE-2023-38709: Apache HTTP Server: HTTP response splitting
First published: Thu Apr 04 2024(Updated: )
Accounts. The issue was addressed with improved checks.
Credit: security@apache.org Yeto IES Red Team ByteDanceCsaba Fitzl @theevilbit KandjiMickey Jin @patch1t Michael DePlante @izobashi Trend Micro Zero Day InitiativeCertiK SkyFall Team D4m0n Amir Bazine CrowdStrike Counter Adversary OperationsKarsten König CrowdStrike Counter Adversary OperationsCVE-2024-2004 CVE-2024-2379 CVE-2024-2398 CVE-2024-2466 an anonymous researcher Yann Gascuel Alter Solutionsw0wbox CVE-2023-6277 CVE-2023-52356 Yisumi Junsung Lee Trend Micro Zero Day Initiative CrowdStrike Counter Adversary OperationsGandalf4a Ye Zhang @VAR10CK Baidu Securitysqrtpwn Minghao Lin Zhejiang UniversityJiaxun Zhu Zhejiang UniversityPatrick Wardle DoubleYouCVE-2024-40805 Rodolphe BRUNETTI @eisw0lf Adam M. CVE-2024-6387 Zhongquan Li @Guluisacat Dawn Security Lab of JingDongMickey Jin @patch1t Kandji KandjiMateen Alinaghi Claudio Bozzato Cisco TalosFrancesco Benvenuto Cisco TalosCsaba Fitzl @theevilbit Offensive SecurityYadhu Krishna M Cyber Security At Suma Soft PvtNarendra Bhati Cyber Security At Suma Soft PvtManager Cyber Security At Suma Soft PvtPune (India) Wojciech Regula SecuRing Dawn Security Lab of JingDongKirin @Pwnrin Joshua Jones Jiwon Park Marcio Almeida Tanto SecurityBistrit Dahal Srijan Poudel Jiahui Hu (梅零落) NorthSeaMeng Zhang (鲸落) NorthSeaArsenii Kostromin (0x3c3e) Huang Xilin Ant Group LightMaksymilian Motyl Johan Carlsson (joaxcar) Seunghyun Lee @0x10n KAIST Hacking Lab working with Trend Micro Zero Day InitiativeCVE-2024-4558 Matthew Butler Gary Kwong Andreas Jaegersberger Ro Achterberg
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Aspera Console | <=3.4.0 - 3.4.2 PL9 | |
| redhat/httpd | <2.4.59 | 2.4.59 |
| Apple macOS | <14.6 | 14.6 |
| debian/apache2 | 2.4.62-1~deb11u1 2.4.62-1~deb11u2 2.4.62-1~deb12u2 2.4.62-3 2.4.63-1 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=17.1.0<=17.1.1 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=16.1.0<=16.1.4 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=15.1.0<=15.1.10 | |
| F5 F5OS-A | =1.7.0>=1.5.1<=1.5.2 | |
| F5 F5OS-C | >=1.6.0<=1.6.2 | |
| F5 Traffix Systems Signaling Delivery Controller | =5.2.0=5.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/286938
- https://www.ibm.com/support/pages/node/7155202 (Advisory)
- https://security.netapp.com/advisory/ntap-20240415-0013/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/
- http://www.openwall.com/lists/oss-security/2024/04/04/3
- https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html
- https://launchpad.net/bugs/cve/CVE-2023-38709
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38709
- https://nvd.nist.gov/vuln/detail/CVE-2023-38709
- https://security-tracker.debian.org/tracker/CVE-2023-38709
- https://ubuntu.com/security/CVE-2023-38709
- https://support.apple.com/kb/HT214119
- http://seclists.org/fulldisclosure/2024/Jul/18
- https://svn.apache.org/viewvc?view=revision&revision=1916770
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2273492
- https://access.redhat.com/errata/RHSA-2024:4197
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2273491#c6
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=2043759
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=2043759&action=edit
- https://access.redhat.com/security/cve/CVE-2023-38709
- http://localhost/a.sum
- https://access.redhat.com/errata/RHSA-2024:6927
- https://access.redhat.com/errata/RHSA-2024:6928
- https://access.redhat.com/errata/RHSA-2024:9306
- https://bugzilla.redhat.com/show_bug.cgi?id=2273491
- https://support.apple.com/en-us/HT214119 (Advisory)
- https://www.openwall.com/lists/oss-security/2024/04/04/3
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-38709
- https://github.com/apache/httpd/commit/ac20389f3c816d990aba21720f1492b69ac5cb44
- https://support.apple.com/en-us/120911 (Advisory)
- https://my.f5.com/manage/s/article/K000139764
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2024-40804
- CVE-2023-38709
- CVE-2024-24795
- CVE-2024-27316
- CVE-2024-40783
- CVE-2024-40774
- CVE-2024-40814
- CVE-2024-40775
- CVE-2024-27877
- CVE-2024-27878
- CVE-2024-40799
- CVE-2024-27873
- CVE-2024-2004
- CVE-2024-2379
- CVE-2024-2398
- CVE-2024-2466
- CVE-2024-40827
- CVE-2024-40815
- CVE-2024-40795
- CVE-2023-6277
- CVE-2023-52356
- CVE-2024-40806
- CVE-2024-40777
- CVE-2024-40784
- CVE-2024-27863
- CVE-2024-40816
- CVE-2024-40788
- CVE-2024-40803
- CVE-2024-40805
- CVE-2024-40832
- CVE-2024-40796
- CVE-2024-6387
- CVE-2024-40781
- CVE-2024-40802
- CVE-2024-40823
- CVE-2024-27882
- CVE-2024-27883
- CVE-2024-40778
- CVE-2024-40800
- CVE-2023-27952
- CVE-2024-40817
- CVE-2024-40824
- CVE-2024-27871
- CVE-2024-27881
- CVE-2024-40821
- CVE-2024-40798
- CVE-2024-27872
- CVE-2024-27862
- CVE-2024-40833
- CVE-2024-40835
- CVE-2024-40836
- CVE-2024-40807
- CVE-2024-40834
- CVE-2024-40809
- CVE-2024-40812
- CVE-2024-40787
- CVE-2024-40793
- CVE-2024-40818
- CVE-2024-40822
- CVE-2024-40828
- CVE-2024-40811
- CVE-2024-40776
- CVE-2024-40782
- CVE-2024-40779
- CVE-2024-40780
- CVE-2024-40785
- CVE-2024-40789
- CVE-2024-4558
- CVE-2024-40794
- CVE-2024-44306
- CVE-2024-44307
- CVE-2024-44141
- CVE-2024-40810
- CVE-2024-44205
- CVE-2024-44185
- CVE-2024-44206
Frequently Asked Questions
What is the severity of CVE-2023-38709?
CVE-2023-38709 has a medium severity rating due to its potential for exploitation via HTTP response splitting attacks.
How do I fix CVE-2023-38709?
To fix CVE-2023-38709, update Apache HTTP Server to version 2.4.62 or later, or apply specific patches as per your vendor's guidance.
Which software is affected by CVE-2023-38709?
CVE-2023-38709 affects various software including Apache HTTP Server versions up to 2.4.59, F5 BIG-IP, and specific versions of IBM Aspera Console.
What type of attack can exploit CVE-2023-38709?
CVE-2023-38709 can be exploited through HTTP response splitting attacks allowing attackers to inject arbitrary HTTP headers.
What is the impact of CVE-2023-38709 on affected systems?
The impact of CVE-2023-38709 can lead to improper response handling, potentially exposing sensitive data via split responses.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2023-38709
- agent/title
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- collector/launchpad-cve
- source/Launchpad
- collector/usn-cve
- source/Ubuntu
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- collector/nvd-cve
- agent/last-modified-date
- agent/trending
- agent/source
- collector/apple-support
- source/Apple
- alias/CVE-2024-24795
- alias/CVE-2024-27316
- agent/software-canonical-lookup-request
- collector/security-tracker-debian
- source/Debian
- alias/CVE-2024-40783
- alias/CVE-2024-40774
- alias/CVE-2024-40814
- alias/CVE-2024-40775
- alias/CVE-2024-27877
- alias/CVE-2024-27878
- alias/CVE-2024-44306
- alias/CVE-2024-44307
- alias/CVE-2024-40799
- alias/CVE-2024-27873
- alias/CVE-2024-2004
- alias/CVE-2024-2379
- alias/CVE-2024-2398
- alias/CVE-2024-2466
- alias/CVE-2024-40827
- alias/CVE-2024-44141
- alias/CVE-2024-40815
- alias/CVE-2024-40795
- alias/CVE-2023-6277
- alias/CVE-2023-52356
- alias/CVE-2024-40806
- alias/CVE-2024-40777
- alias/CVE-2024-40784
- alias/CVE-2024-40810
- alias/CVE-2024-27863
- alias/CVE-2024-40816
- alias/CVE-2024-40788
- alias/CVE-2024-40803
- alias/CVE-2024-40805
- alias/CVE-2024-40832
- alias/CVE-2024-40796
- alias/CVE-2024-6387
- alias/CVE-2024-40781
- alias/CVE-2024-40802
- alias/CVE-2024-40823
- alias/CVE-2024-27882
- alias/CVE-2024-27883
- alias/CVE-2024-40778
- alias/CVE-2024-40800
- alias/CVE-2023-27952
- alias/CVE-2024-40817
- alias/CVE-2024-40824
- alias/CVE-2024-27871
- alias/CVE-2024-27881
- alias/CVE-2024-40821
- alias/CVE-2024-40798
- alias/CVE-2024-27872
- alias/CVE-2024-27862
- alias/CVE-2024-40833
- alias/CVE-2024-40835
- alias/CVE-2024-40836
- alias/CVE-2024-40807
- alias/CVE-2024-40834
- alias/CVE-2024-40809
- alias/CVE-2024-40812
- alias/CVE-2024-40787
- alias/CVE-2024-40793
- alias/CVE-2024-40818
- alias/CVE-2024-40822
- alias/CVE-2024-44205
- alias/CVE-2024-40828
- alias/CVE-2024-40811
- alias/CVE-2024-40776
- alias/CVE-2024-40782
- alias/CVE-2024-40779
- alias/CVE-2024-40780
- alias/CVE-2024-40785
- alias/CVE-2024-40789
- alias/CVE-2024-4558
- alias/CVE-2024-40794
- alias/CVE-2024-44185
- alias/CVE-2024-44206
- agent/event
- agent/references
- agent/author
- agent/softwarecombine
- agent/tags
- agent/description
- collector/f5-advisory
- source/F5
- vendor/ibm
- canonical/ibm aspera console
- version/ibm aspera console/3.4.0 - 3.4.2 pl9
- package-manager/redhat
- vendor/apple
- canonical/apple macos
- package-manager/debian
- vendor/f5
- canonical/f5 big-ip and big-iq centralized management
- version/f5 big-ip and big-iq centralized management/17.1.0
- version/f5 big-ip and big-iq centralized management/17.1.1
- version/f5 big-ip and big-iq centralized management/16.1.0
- version/f5 big-ip and big-iq centralized management/16.1.4
- version/f5 big-ip and big-iq centralized management/15.1.0
- version/f5 big-ip and big-iq centralized management/15.1.10
- canonical/f5 f5os-a
- version/f5 f5os-a/1.7.0
- version/f5 f5os-a/1.5.1
- version/f5 f5os-a/1.5.2
- canonical/f5 f5os-c
- version/f5 f5os-c/1.6.0
- version/f5 f5os-c/1.6.2
- canonical/f5 traffix systems signaling delivery controller
- version/f5 traffix systems signaling delivery controller/5.2.0
- version/f5 traffix systems signaling delivery controller/5.1.0