{
  "threat_severity" : "Moderate",
  "public_date" : "2023-03-07T00:00:00Z",
  "bugzilla" : {
    "description" : "httpd: mod_proxy_uwsgi HTTP response splitting",
    "id" : "2176211",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2176211"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-113",
  "details" : [ "HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55.\nSpecial characters in the origin response header can truncate/split the response forwarded to the client.", "An HTTP Response Smuggling vulnerability was found in the Apache HTTP Server via mod_proxy_uwsgi. This security issue occurs when special characters in the origin response header can truncate or split the response forwarded to the client." ],
  "statement" : "The HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi has been categorized as moderate severity for Red Hat Enterprise Linux due to several technical factors. While the potential impact of this vulnerability is significant, its exploitation requires specific conditions, including the presence of mod_proxy_uwsgi and the ability to inject specially crafted headers into requests. Additionally, successful exploitation depends on the specific configuration of the server and the network environment. Furthermore, the vulnerability primarily affects the integrity and reliability of HTTP responses, rather than directly leading to remote code execution or unauthorized access. Therefore, the likelihood of exploitation and the potential impact on affected systems have been evaluated as moderate, warranting attention and remediation but not categorized as important.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2023-08-15T00:00:00Z",
    "advisory" : "RHSA-2023:4629",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-httpd-0:2.4.57-5.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2023-08-15T00:00:00Z",
    "advisory" : "RHSA-2023:4629",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.57-5.el7jbcs"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-09-11T00:00:00Z",
    "advisory" : "RHSA-2023:5050",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "httpd:2.4-8080020230830144124.63b34585"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2023-09-11T00:00:00Z",
    "advisory" : "RHSA-2023:5049",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.6",
    "package" : "httpd:2.4-8060020230830144749.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6403",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "httpd-0:2.4.57-5.el9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-07-11T00:00:00Z",
    "advisory" : "RHSA-2024:4504",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "httpd-0:2.4.53-11.el9_2.6"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2023-08-15T00:00:00Z",
    "advisory" : "RHSA-2023:4628",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "httpd"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd22",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "httpd24-httpd",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-27522\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-27522\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2023-27522",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}