2273499 – (CVE-2024-24795) CVE-2024-24795 httpd: HTTP Response Splitting in multiple modules

Bug 2273499 (CVE-2024-24795) - CVE-2024-24795 httpd: HTTP Response Splitting in multiple modules

Summary: CVE-2024-24795 httpd: HTTP Response Splitting in multiple modules

Keywords:
Status:	NEW
Alias:	CVE-2024-24795
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2273500 2273505 2273506 2273507 2273509
Blocks:	2273504
TreeView+	depends on / blocked

Reported:	2024-04-04 19:04 UTC by Pedro Sampaio
Modified:	2025-08-20 13:07 UTC (History)
CC List:	58 users (show)
Fixed In Version:	httpd 2.4.59
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:9306	None	None	None	2024-11-12 09:14:39 UTC
Red Hat Product Errata	RHSA-2025:3452	None	None	None	2025-08-20 13:07:11 UTC
Red Hat Product Errata	RHSA-2025:3453	None	None	None	2025-08-20 13:06:52 UTC

Description Pedro Sampaio 2024-04-04 19:04:16 UTC

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

References:

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-24795
https://svn.apache.org/viewvc?view=revision&revision=1916769

Comment 1 Pedro Sampaio 2024-04-04 19:04:40 UTC

Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 2273500]

Comment 5 Ben 2024-06-13 12:40:52 UTC

As I am unable to view any of 2273504, 2273506, 2273507, 2273505, or 2273509, can someone please tell me what the potential ETA is for this vulnerability being patched, please?

Comment 7 errata-xmlrpc 2024-11-12 09:14:35 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9306 https://access.redhat.com/errata/RHSA-2024:9306

Comment 11 errata-xmlrpc 2025-08-20 13:06:46 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Core Services 2.4.62

Via RHSA-2025:3453 https://access.redhat.com/errata/RHSA-2025:3453

Comment 12 errata-xmlrpc 2025-08-20 13:07:06 UTC

This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2025:3452 https://access.redhat.com/errata/RHSA-2025:3452

Note You need to log in before you can comment on or make changes to this bug.

anjoseph
asoldano
bbaranow
bdettelb
ben.argyle
bmaxwell
brian.stansberry
caswilli
cdewolf
chazlett
csutherl
darran.lofthouse
dfreiber
dkreling
doconnor
dosoudil
eglynn
fjuma
hhorak
istudens
ivassile
iweiss
jburrell
jclere
jjoyce
jmai
jorton
jprabhak
jschluet
kaycoth
lgao
lhh
lsvaty
luhliari
mark.r.caron
mburns
mgarciac
mosmerov
msochure
mstefank
msvehla
nbhumkar
nwallace
pesilva
pgrist
pjindal
plodge
pmackay
rhayakaw
rogbas
rstancel
smaestri
szappis
teagle
tom.jenkinson
tosorio
vkumar
wtam