Strix
26.1K

CVE-2016-8743

HIGHCVSS 7.5/10EPSS 13.25%

Last modified

CVE-2016-8743 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.. EPSS estimates a 13.25% chance of exploitation in the next 30 days.

Description

Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Probability
13.25%

95.9th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersions
ApacheHttp Server>= 2.2.0, <= 2.2.31
ApacheHttp Server>= 2.4.1, <= 2.4.23
NetappClustered Data OntapAll versions
NetappOncommand Unified ManagerAll versions
DebianDebian Linux8.0
DebianDebian Linux9.0
RedhatEnterprise Linux Desktop6.0
RedhatEnterprise Linux Desktop7.0
RedhatEnterprise Linux Eus7.3
RedhatEnterprise Linux Eus7.4
RedhatEnterprise Linux Eus7.5
RedhatEnterprise Linux Eus7.6
RedhatEnterprise Linux Eus7.7
RedhatEnterprise Linux Server6.0
RedhatEnterprise Linux Server7.0
RedhatEnterprise Linux Server Aus7.3
RedhatEnterprise Linux Server Aus7.4
RedhatEnterprise Linux Server Aus7.6
RedhatEnterprise Linux Server Aus7.7
RedhatEnterprise Linux Server Tus7.3
RedhatEnterprise Linux Server Tus7.6
RedhatEnterprise Linux Server Tus7.7
RedhatEnterprise Linux Workstation6.0
RedhatEnterprise Linux Workstation7.0
RedhatJboss Core Services1.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2016-8743?
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.
How severe is CVE-2016-8743?
CVE-2016-8743 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 13.25% probability of exploitation in the next 30 days.
How do I fix CVE-2016-8743?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-8743?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST