CVE-2016-8743
high-risk
Published 2017-07-27
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.
Do I need to act?
~
8.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (20)
References (80)
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-1415.html
Third Party Advisory
http://www.debian.org/security/2017/dsa-3796
Third Party Advisory
http://www.securityfocus.com/bid/95077
Broken Link
http://www.securitytracker.com/id/1037508
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0906
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1161
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1413
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1414
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1721
Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na...
Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na...
and 60 more references
57
/ 100
high-risk
Severity
26/34 · High
Exploitability
10/34 · Low
Exposure
21/34 · High