CVE-2024-24795: 
Apache HTTP Server vulnerability analysis and mitigation

HTTP Response splitting vulnerability (CVE-2024-24795) affects Apache HTTP Server versions 2.4.0 through 2.4.58. The vulnerability allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. The issue was discovered by Keran Mu and Jianjun Chen from Tsinghua University and Zhongguancun Laboratory (Apache Security).

The vulnerability exists in multiple modules of Apache HTTP Server where malicious or exploitable backend applications can inject response headers that lead to HTTP response splitting. This can result in response desynchronization attacks. The vulnerability has been assigned a CVSS score of 7.3 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or cause HTTP response desynchronization attacks. The vulnerability affects the security of HTTP responses between the server and clients (NetApp Advisory).

Users are recommended to upgrade to Apache HTTP Server version 2.4.59, which contains the fix for this vulnerability. For systems that cannot be immediately upgraded, administrators should monitor backend applications for potential header injection attempts. The fix may affect some CGI-BIN scripts, and administrators may need to add 'SetEnv aptrustcgilike_cl "yes"' to their Apache configuration for trusted scripts (Debian Advisory).