date:20240404

[users@httpd] CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames

2024-04-04 Thread Eric Covener



Severity: moderate

Affected versions:

- Apache HTTP Server 2.4.17 through 2.4.58

Description:

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 
in order to generate an informative HTTP 413 response. If a client does not 
stop sending headers, this leads to memory exhaustion.

Credit:

Bartek Nowotarski (https://nowotarski.info/)  (finder)

References:

https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-27316

Timeline:

2024-02-22: Reported to security team


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP response splitting

2024-04-04 Thread Eric Covener



Affected versions:

- Apache HTTP Server through 2.4.58

Description:

Faulty input validation in the core of Apache allows malicious or exploitable 
backend/content generators to split HTTP responses.

This issue affects Apache HTTP Server: through 2.4.58.

Credit:

Orange Tsai (@orange_8361) from DEVCORE (finder)

References:

https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-38709


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules

2024-04-04 Thread Eric Covener



Severity: low

Affected versions:

- Apache HTTP Server 2.4.0 through 2.4.58

Description:

HTTP Response splitting in multiple modules in Apache HTTP Server allows an 
attacker that can inject malicious response headers into backend applications 
to cause an HTTP desynchronization attack.

Users are recommended to upgrade to version 2.4.59, which fixes this issue.

Credit:

Keran Mu, Tsinghua University and Zhongguancun Laboratory. (finder)
Jianjun Chen, Tsinghua University and Zhongguancun Laboratory. (finder)

References:

https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-24795

Timeline:

2023-09-06: Reported to security team


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP response splitting

2024-04-04 Thread Mcalexander, Jon J.

Is there a severity level for this one?

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

From: Eric Covener 
Sent: Thursday, April 4, 2024 8:57 AM
To: annou...@apache.org; users@httpd.apache.org
Subject: [users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP response 
splitting

Affected versions: - Apache HTTP Server through 2. 4. 58 Description: Faulty 
input validation in the core of Apache allows malicious or exploitable 
backend/content generators to split HTTP responses. This issue affects Apache 
HTTP Server: through




Affected versions:



- Apache HTTP Server through 2.4.58



Description:



Faulty input validation in the core of Apache allows malicious or exploitable 
backend/content generators to split HTTP responses.



This issue affects Apache HTTP Server: through 2.4.58.



Credit:



Orange Tsai (@orange_8361) from DEVCORE (finder)



References:



https://urldefense.com/v3/__https://httpd.apache.org/__;!!F9svGWnIaVPGSwU!vZWSYGByQMPoLmzn8sQqALUlF4E_iHa0hd7NgWXP1J4iQbaHarWSmsrOM-tWew_I3iuHcgPO7FOZTp1zBvVc3Bys$

https://urldefense.com/v3/__https://www.cve.org/CVERecord?id=CVE-2023-38709__;!!F9svGWnIaVPGSwU!vZWSYGByQMPoLmzn8sQqALUlF4E_iHa0hd7NgWXP1J4iQbaHarWSmsrOM-tWew_I3iuHcgPO7FOZTp1zBt4tO_xM$





-

To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org

For additional commands, e-mail: 
users-h...@httpd.apache.org

Re: [users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP response splitting

2024-04-04 Thread Otis Dewitt - NOAA Affiliate

https://nvd.nist.gov/vuln/detail/CVE-2023-38909

MEDIUM

Otis DeWitt
Contractor with Concept Plus, LLC in support of
NOAA Fisheries NMFS / ST6  |  U.S. Department of Commerce
Office: ‪(302) 648-7481 | otis.dew...@noaa.gov


"If there is no struggle, there is no progress."



On Thu, Apr 4, 2024 at 1:46 PM Mcalexander, Jon J.
 wrote:

> Is there a severity level for this one?
>
>
>
> *Dream * Excel * Explore * Inspire*
>
> Jon McAlexander
>
> Senior Infrastructure Engineer
>
> Asst. Vice President
>
> He/His
>
>
>
> Middleware Product Engineering
>
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
>
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
>
> Tel 515-988-2508 | Cell 515-988-2508
>
>
>
> jonmcalexan...@wellsfargo.com
>
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message. Thank you for your cooperation.
>
>
>
> *From:* Eric Covener 
> *Sent:* Thursday, April 4, 2024 8:57 AM
> *To:* annou...@apache.org; users@httpd.apache.org
> *Subject:* [users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP
> response splitting
>
>
>
> Affected versions: - Apache HTTP Server through 2. 4. 58 Description:
> Faulty input validation in the core of Apache allows malicious or
> exploitable backend/content generators to split HTTP responses. This issue
> affects Apache HTTP Server: through
>
>
>
> Affected versions:
>
>
>
> - Apache HTTP Server through 2.4.58
>
>
>
> Description:
>
>
>
> Faulty input validation in the core of Apache allows malicious or exploitable 
> backend/content generators to split HTTP responses.
>
>
>
> This issue affects Apache HTTP Server: through 2.4.58.
>
>
>
> Credit:
>
>
>
> Orange Tsai (@orange_8361) from DEVCORE (finder)
>
>
>
> References:
>
>
>
> https://urldefense.com/v3/__https://httpd.apache.org/__;!!F9svGWnIaVPGSwU!vZWSYGByQMPoLmzn8sQqALUlF4E_iHa0hd7NgWXP1J4iQbaHarWSmsrOM-tWew_I3iuHcgPO7FOZTp1zBvVc3Bys$
>  
> 
>
> https://urldefense.com/v3/__https://www.cve.org/CVERecord?id=CVE-2023-38709__;!!F9svGWnIaVPGSwU!vZWSYGByQMPoLmzn8sQqALUlF4E_iHa0hd7NgWXP1J4iQbaHarWSmsrOM-tWew_I3iuHcgPO7FOZTp1zBt4tO_xM$
>  
> 
>
>
>
>
>
> -
>
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
>
>

[users@httpd] CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames

[users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP response splitting

[users@httpd] CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules

RE: [users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP response splitting

Re: [users@httpd] CVE-2023-38709: Apache HTTP Server: HTTP response splitting

5 matches

Site Navigation

Mail list logo

Footer information