CVE-2016-8743

Published: Jul 27, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.

Affected (25)

Products: Apache: Http Server · Netapp: Clustered Data Ontap, Oncommand Unified Manager · Debian: Debian Linux · +1 more

Show all products

Apache: Http Server · Netapp: Clustered Data Ontap, Oncommand Unified Manager · Debian: Debian Linux · Redhat: Enterprise Linux Desktop, Enterprise Linux Eus, Enterprise Linux Server, Enterprise Linux Server Aus, Enterprise Linux Server Tus, Enterprise Linux Workstation, Jboss Core Services

1 product

2 products

Oncommand Unified Manager

Debian

1 product

Debian Linux

Redhat

7 products

Enterprise Linux Desktop

Enterprise Linux Eus

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Tus

Enterprise Linux Workstation

Jboss Core Services

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Http Server	From 2.2.0 to 2.2.31
Apache Http Server	From 2.4.1 to 2.4.23

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Netapp Clustered Data Ontap	All versions
Netapp Oncommand Unified Manager	All versions

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Configuration D

18 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 6.0
Redhat Enterprise Linux Desktop	Version 7.0
Redhat Enterprise Linux Eus	Version 7.3
Redhat Enterprise Linux Eus	Version 7.4
Redhat Enterprise Linux Eus	Version 7.5
Redhat Enterprise Linux Eus	Version 7.6
Redhat Enterprise Linux Eus	Version 7.7
Redhat Enterprise Linux Server	Version 6.0
Redhat Enterprise Linux Server	Version 7.0
Redhat Enterprise Linux Server Aus	Version 7.3
Redhat Enterprise Linux Server Aus	Version 7.4
Redhat Enterprise Linux Server Aus	Version 7.6
Redhat Enterprise Linux Server Aus	Version 7.7
Redhat Enterprise Linux Server Tus	Version 7.3
Redhat Enterprise Linux Server Tus	Version 7.6
Redhat Enterprise Linux Server Tus	Version 7.7
Redhat Enterprise Linux Workstation	Version 6.0
Redhat Enterprise Linux Workstation	Version 7.0

Configuration E

1 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Redhat Jboss Core Services	Version 1.0

Running on/with	Platform Versions
Redhat Enterprise Linux	Version 6.0
Redhat Enterprise Linux	Version 7.0

References (80)

http://rhn.redhat.com/errata/RHSA-2017-1415.html

Source: security@apache.org

Third Party Advisory

http://www.debian.org/security/2017/dsa-3796

Source: security@apache.org

Third Party Advisory

http://www.securityfocus.com/bid/95077

Source: security@apache.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1037508

Source: security@apache.org

Broken LinkThird Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2017:0906

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:1161

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:1413

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:1414

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:1721

Source: security@apache.org

Third Party Advisory

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbmu03753en_us

Source: security@apache.org

Third Party Advisory

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03725en_us

Source: security@apache.org

Third Party Advisory

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-8743

Source: security@apache.org

Vendor Advisory

https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r09b8a39d1262adbab5528eea73df1b1f93e919bf004ed5a843d9cad1%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r4fe84db67fe9dc906c6185e58bbd9913f4356dd555a5c3db490694e5%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r94284b139540e5287ebdd3450682d3e3d187263dd6b75af8fa7d4890%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rfcb6c7b9e7ca727a7eeeb5f13f89488a03981cfa0e7c3125f18fa239%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://security.gentoo.org/glsa/201701-36

Source: security@apache.org

PatchThird Party AdvisoryVDB Entry

https://security.netapp.com/advisory/ntap-20180423-0001/

Source: security@apache.org

Third Party Advisory

https://support.apple.com/HT208221

Source: security@apache.org

Third Party Advisory

https://www.tenable.com/security/tns-2017-04

Source: security@apache.org

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2017-1415.html