Description
Kayran has detected that the version of Apache HTTP Server being used is accepting whitespace characters from requests that are sent in response lines and headers.
Accepting these different behaviors represent a security concern when httpd participates in any chain of proxies or interacts with back-end application servers. Also known as CVE-2016-8743.
Through mod_proxy or using conventional CGI mechanisms, remote attackers could possibly abuse this flaw to inject data into HTTP responses, which results in proxy cache poisoning.
It could also lead to request smuggling and response splitting.
Severity/Score
CVSS Version 3.x – 7.5 High
Recommendation
To fix CVE-2016-8743, upgrade the version of Apache Server being used to either 2.2.32 or 2.4.25.
References
https://cwe.mitre.org/data/definitions/20.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743
