CVE-2023-27522 - OpenCVE

HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Http Server
Debian	Debian Linux
Unbit	Uwsgi

Configuration 1 [-]

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:unbit:uwsgi:*:*:*:*:*:*:*:*

References

Link	Resource
https://httpd.apache.org/security/vulnerabilities_24.html	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html	Third Party Advisory
https://security.gentoo.org/glsa/202309-01

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2023-03-07T15:09:30.122Z

Updated: 2023-03-07T15:09:30.122Z

Reserved: 2023-03-02T12:24:47.536Z

Link: CVE-2023-27522

JSON object: View

NVD Information

Status : Modified

Published: 2023-03-07T16:15:09.613

Modified: 2023-09-08T22:15:10.817

Link: CVE-2023-27522

JSON object: View

Redhat Information

No data.

CWE

CWE-444

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-27522", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-03-02T12:24:47.536Z", "datePublished": "2023-03-07T15:09:30.122Z", "dateUpdated": "2023-03-07T15:09:30.122Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.55", "status": "affected", "version": "2.4.30", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Dimas Fariski Setyawan Putra (nyxsorcerer)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_<code>proxy_uwsgi</code>. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.</div><div>Special characters in the origin response header can truncate/split the response forwarded to the client.<br></div>"}], "value": "HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.\n\nSpecial characters in the origin response header can truncate/split the response forwarded to the client.\n\n\n"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Responses ('HTTP Response Smuggling')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-03-07T15:09:30.122Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00028.html"}, {"url": "https://security.gentoo.org/glsa/202309-01"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2023-01-29T06:42:00.000Z", "value": "Reported to security team"}], "title": "Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}