CVE-2023-38709

HIGH

Apache HTTP Server <= 2.4.58 - HTTP Response Splitting via Faulty Input Validation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-38709. PoCs published by mrmtwoj.

AI-analyzed exploit summary This repository contains a Python script that scans for multiple Apache HTTP Server vulnerabilities by sending crafted HTTP requests to detect potential misconfigurations or weaknesses. It does not include exploit code for achieving RCE or other offensive actions, only detection logic.

Description

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.

Exploits (1)

nomisec SCANNER 123 stars

by mrmtwoj · poc

https://github.com/mrmtwoj/apache-vulnerability-testing

View Code ZIP pw:eip

This repository contains a Python script that scans for multiple Apache HTTP Server vulnerabilities by sending crafted HTTP requests to detect potential misconfigurations or weaknesses. It does not include exploit code for achieving RCE or other offensive actions, only detection logic.

Classification

Scanner 90%

Attack Type

Ssrf | Dos | Info Leak | Auth Bypass

Complexity

Trivial

Reliability

Theoretical

Target: Apache HTTP Server (various versions)

No auth needed

Prerequisites: Python 3.x · requests library · network access to target

MITRE ATT&CK

T1189 - Drive-by Compromise T1082 - System Information Discovery

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (11)

Core 11

Core References

Mailing List, Third Party Advisory

http://seclists.org/fulldisclosure/2024/Jul/18

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2024/04/04/3

Mailing List, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/WNV4SZAPVS43DZWNFU7XBYYOZEZMI4ZC/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20240415-0013/

Third Party Advisory

https://support.apple.com/kb/HT214119

Mailing List

http://www.openwall.com/lists/oss-security/2025/07/10/2

Mailing List

http://www.openwall.com/lists/oss-security/2025/07/10/3

Vendor Advisory vendor-advisory

https://httpd.apache.org/security/vulnerabilities_24.html

Scores

CVSS v3 7.3

EPSS 0.0391

EPSS Percentile 88.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1284

Status published

Products (9)

apache/http_server < 2.4.59

apple/macos < 14.6

broadcom/fabric_operating_system

debian/debian_linux 10.0

fedoraproject/fedora 38

fedoraproject/fedora 39

fedoraproject/fedora 40

netapp/ontap 9

netapp/ontap_tools 10

Published Apr 04, 2024

Tracked Since Feb 18, 2026