CVE-2024-24795
Publication date 4 April 2024
Last updated 2 June 2026
Ubuntu priority
Description
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| apache2 | 26.04 LTS resolute |
Fixed 2.4.58-1ubuntu8.1
|
| 25.10 questing |
Fixed 2.4.58-1ubuntu8.1
|
|
| 24.04 LTS noble |
Fixed 2.4.58-1ubuntu8.1
|
|
| 22.04 LTS jammy |
Fixed 2.4.52-1ubuntu4.9
|
|
| 20.04 LTS focal |
Fixed 2.4.41-4ubuntu3.17
|
|
| 18.04 LTS bionic |
Fixed 2.4.29-1ubuntu4.27+esm2
|
|
| 16.04 LTS xenial |
Fixed 2.4.18-2ubuntu3.17+esm12
|
|
| 14.04 LTS trusty |
Fixed 2.4.7-1ubuntu4.22+esm12
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
leosilva
after this update reports were made that fossil package stopped to work properly (LP: #2064509).
Patch details
| Package | Patch details |
|---|---|
| apache2 |
|
Severity score breakdown
CVSS version: CVSS v3.0
Base score
6.3 · Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
References
Related Ubuntu Security Notices (USN)
- USN-6729-1
- Apache HTTP Server vulnerabilities
- 11 April 2024
- USN-6729-2
- Apache HTTP Server vulnerabilities
- 17 April 2024
- USN-6729-3
- Apache HTTP Server vulnerabilities
- 29 April 2024
- USN-8338-1
- Apache HTTP Server vulnerabilities
- 28 May 2026