CVE-2024-24795 — Apache HTTP Server: HTTP Response Splitting in multiple modules

Description

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.

How to fix CVE-2024-24795

To remediate CVE-2024-24795, upgrade the affected package to a fixed version below.

—upgrade to 2.4.59-r0 or later
—upgrade to 2.4.59 or later
—upgrade to 2.4.59-1~deb11u1 or later
—no fix listed

Is CVE-2024-24795 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 2.4.59-r0
>= 2.4.0, < 2.4.59
from 0, < 2.4.59-1~deb11u1
from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

References (13)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-24795
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-24795
WEBseclists.org/fulldisclosure/2024/Jul/18
WEBhttpd.apache.org/security/vulnerabilities_24.html
WEB