OESA-2025-2168

HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response.

This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue.

Users are recommended to upgrade to version 2.4.64, which fixes this issue.(CVE-2024-42516)

SSRF in Apache HTTP Server with modproxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where modheaders is configured to modify the Content-Type request or response header with a value provided in the HTTP request.

Users are recommended to upgrade to version 2.4.64 which fixes this issue.(CVE-2024-43204)

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.

In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by modssl such as SSLTLSSNI, no escaping is performed by either modlogconfig or modssl and unsanitized data provided by the client may appear in log files.(CVE-2024-47252)

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.

Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.(CVE-2025-23048)

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.(CVE-2025-49812)

Database specific

{
    "severity": "Critical"
}

References

Affected packages

openEuler:20.03-LTS-SP4 / httpd

Package

Name: httpd
Purl: pkg:rpm/openEuler/httpd&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.43-28.oe2003sp4

Ecosystem specific

{
    "x86_64": [
        "httpd-2.4.43-28.oe2003sp4.x86_64.rpm",
        "httpd-debuginfo-2.4.43-28.oe2003sp4.x86_64.rpm",
        "httpd-debugsource-2.4.43-28.oe2003sp4.x86_64.rpm",
        "httpd-devel-2.4.43-28.oe2003sp4.x86_64.rpm",
        "httpd-tools-2.4.43-28.oe2003sp4.x86_64.rpm",
        "mod_ldap-2.4.43-28.oe2003sp4.x86_64.rpm",
        "mod_md-2.4.43-28.oe2003sp4.x86_64.rpm",
        "mod_proxy_html-2.4.43-28.oe2003sp4.x86_64.rpm",
        "mod_session-2.4.43-28.oe2003sp4.x86_64.rpm",
        "mod_ssl-2.4.43-28.oe2003sp4.x86_64.rpm"
    ],
    "src": [
        "httpd-2.4.43-28.oe2003sp4.src.rpm"
    ],
    "aarch64": [
        "httpd-2.4.43-28.oe2003sp4.aarch64.rpm",
        "httpd-debuginfo-2.4.43-28.oe2003sp4.aarch64.rpm",
        "httpd-debugsource-2.4.43-28.oe2003sp4.aarch64.rpm",
        "httpd-devel-2.4.43-28.oe2003sp4.aarch64.rpm",
        "httpd-tools-2.4.43-28.oe2003sp4.aarch64.rpm",
        "mod_ldap-2.4.43-28.oe2003sp4.aarch64.rpm",
        "mod_md-2.4.43-28.oe2003sp4.aarch64.rpm",
        "mod_proxy_html-2.4.43-28.oe2003sp4.aarch64.rpm",
        "mod_session-2.4.43-28.oe2003sp4.aarch64.rpm",
        "mod_ssl-2.4.43-28.oe2003sp4.aarch64.rpm"
    ],
    "noarch": [
        "httpd-filesystem-2.4.43-28.oe2003sp4.noarch.rpm",
        "httpd-help-2.4.43-28.oe2003sp4.noarch.rpm"
    ]
}