CVE-2024-42516: Apache HTTP Server: HTTP response splitting

[Eric Covener <covener () apache org>]

Severity: moderate 

Affected versions:

- Apache HTTP Server 2.4.0 through 2.4.63

Description:

HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type 
response headers of applications hosted or proxied by the server can split the HTTP response.

This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address 
the issue.

Users are recommended to upgrade to version 2.4.64, which fixes this issue.

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-42516

Timeline:

2024-07-18: reported
2025-07-07: 2.4.x 1927039