Bug 2176211 (CVE-2023-27522)
| Summary: | CVE-2023-27522 httpd: mod_proxy_uwsgi HTTP response splitting | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | asoldano, bbaranow, bdettelb, bmaxwell, brian.stansberry, caswilli, cdewolf, chazlett, csutherl, darran.lofthouse, dkreling, dosoudil, fjuma, hhorak, ivassile, iweiss, jburrell, jclere, jkoehler, jorton, jwakely, kaycoth, kyoshida, lgao, luhliari, micjohns, mosmerov, msochure, msvehla, mturk, nbhumkar, nobody, nwallace, pablomiguelcj, peholase, pjindal, plodge, pmackay, rstancel, ryan.brothers, smaestri, sthirugn, szappis, tom.jenkinson, xili, zac.carius |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | httpd 2.4.56 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An HTTP Response Smuggling vulnerability was found in the Apache HTTP Server via mod_proxy_uwsgi. This security issue occurs when special characters in the origin response header can truncate or split the response forwarded to the client.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-15 21:54:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2176720, 2176723, 2176724, 2236177, 2236178 | ||
| Bug Blocks: | 2176202 | ||
|
Description
Mauro Matteo Cascella
2023-03-07 16:22:49 UTC
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 2176720] Is there a timeline for when this will be patched in RHEL9? We will probably fix it in the next RHEL-9 release.(In reply to ryan.brothers from comment #4) > Is there a timeline for when this will be patched in RHEL9? We will probably fix it in the next RHEL-9 release. Hy, for RHEL-8 there a RHSA to address the CVE-2023-27522 ? thks This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2023:4628 https://access.redhat.com/errata/RHSA-2023:4628 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2023:4629 https://access.redhat.com/errata/RHSA-2023:4629 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-27522 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:5049 https://access.redhat.com/errata/RHSA-2023:5049 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5050 https://access.redhat.com/errata/RHSA-2023:5050 This error also appears on this site: https://connectionsgame.io This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6403 https://access.redhat.com/errata/RHSA-2023:6403 same here :< https://cookie-clicker2.com The following items have fixed this problem: Upgrade Support for Red Hat Enterprise Linux 8.6 with Enhanced Features In accordance with RHSA-2023:5049, see https://access.redhat.com/errata/RHSA-2023:5049 https://geometrygame.io/ (In reply to errata-xmlrpc from comment #18) > This issue has been addressed in the following products: > > Red Hat Enterprise Linux 9 > > Via RHSA-2023:6403 https://slopeplay.io https://access.redhat.com/errata/RHSA-2023:6403 simple pleasures. This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:4504 https://access.redhat.com/errata/RHSA-2024:4504 (In reply to Stefanie Norton from comment #17) > This error also appears on this site: > https://2048cupcakes.co.uk/ also appears on this site: https://muenzewerfen.de/ Nice knowledge gaining article. This post is really the best on this valuable topic. [online block blast](https://blockblast.net/) Great job here on _______ I read a lot of blog posts, but I never heard a topic like this. I Love this topic you made about the blogger's bucket list. Very resourceful. [online popcorn game](https://popcorngame.net/) [url=https://blockblastunblocked.github.io]Block Blast Unblocked[/url] la trang web giai tri mien phi, noi ban co the tham gia cac tro choi hap dan ma khong bi chan. Trai nghiem giai tri bat tan ngay tai day Block Blast Unblocked la diem den ly tuong cho nhung ai yeu thich game online ma khong muon gap phai cac rao can truy cap. Kham pha ngay de tan huong nhung phut giay thu gian tuyet voi! https://blockblastunblocked.github.io/ The vulnerability in mod_proxy_uwsgi (CVE-2023-27522) allows attackers to inject malicious headers or modify the HTTP response by exploiting improper handling of response splitting. This can lead to serious security risks like session fixation, cross-site scripting (XSS), or even redirecting users to malicious websites, depending on the attack vector. This highlights the importance of securely validating headers and response content before sending them to the client. https://b9games.app HTTP response splitting allows an attacker to split the server's HTTP response into two parts, allowing them to inject arbitrary HTTP headers or even modify the content of the response. In the case of mod_proxy_uwsgi, this flaw could allow an attacker to perform actions that could manipulate how clients perceive the server's responses, making it a prime target for malicious exploits.https://minecraftapk12.com/ Apache HTTPD's maintainers have addressed this issue in newer versions, where input sanitization and validation for headers and response content have been improved. To mitigate the risk, it is essential to update to a patched version as soon as possible. Administrators should also consider additional hardening measures, such as disabling mod_proxy_uwsgi if it’s not needed, or applying more restrictive header handling rules in their configuration. https://revanced.su/ This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support https://flixvisionapks.com/ https://gringoxps.com brings you the latest updates from the world of technology, gaming, and digital innovation. Whether you're a passionate gamer or a tech-savvy professional, Gringoxps is your go-to platform for expert reviews, how-to guides, and in-depth articles. From trending games and gaming consoles to software tutorials and tech news — we cover it all in one place. Our goal is to deliver high-quality content that helps users stay ahead in the fast-evolving digital space. With a focus on accuracy and simplicity, Gringoxps ensures that every article is crafted to add real value to readers. Discover top gaming tips, learn about the newest apps, and explore comparisons of the latest gadgets. Looking to enhance your digital experience? Visit Gringoxps.com today and become part of a growing community that lives and breathes tech. Don’t forget to follow us for regular updates and share our content to support quality tech journalism! |