Vulnerability-Lookup

WID-SEC-W-2022-0646

Vulnerability from csaf_certbund - Published: 2022-03-13 23:00 - Updated: 2023-10-19 22:00

Summary

Apache HTTP Server: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Apache ist ein Webserver für verschiedene Plattformen.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache HTTP Server ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuführen.

Betroffene Betriebssysteme: - UNIX - Linux - MacOS X - Windows - F5 Networks - Sonstiges - Hardware Appliance

CVE-2022-23943

In Apache HTTP Server existieren mehrere Schwachstellen. Die Schwachstellen sind auf die Nutzung einer nicht initialisierten Variablen, Fehler beim Schließen von Verbindungen, Pufferüberläufe sowie Out-of-Bounds-Lese und Schreibfehler zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuführen.

Affected products

Known affected 18 products

Product	Identifier	Version
IBM Rational Build Forge IBM	`cpe:/a:ibm:rational_build_forge:-`	—
Avaya Aura Experience Portal Avaya	`cpe:/a:avaya:aura_experience_portal:-`	—
Avaya Aura System Manager Avaya	`cpe:/a:avaya:aura_system_manager:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Avaya Aura Application Enablement Services Avaya	`cpe:/a:avaya:aura_application_enablement_services:-`	—
Hitachi Command Suite Hitachi	`cpe:/a:hitachi:command_suite:-`	—
Avaya Aura Session Manager Avaya	`cpe:/a:avaya:session_manager:-`	—
Avaya Aura Communication Manager Avaya	`cpe:/a:avaya:communication_manager:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Avaya Web License Manager Avaya	`cpe:/a:avaya:web_license_manager:-`	—
QNAP NAS QNAP	`cpe:/h:qnap:nas:-`	—
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
F5 BIG-IP F5 / BIG-IP	`cpe:/a:f5:big-ip:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—

CVE-2022-22721

Affected products

Known affected 18 products

Product	Identifier	Version
IBM Rational Build Forge IBM	`cpe:/a:ibm:rational_build_forge:-`	—
Avaya Aura Experience Portal Avaya	`cpe:/a:avaya:aura_experience_portal:-`	—
Avaya Aura System Manager Avaya	`cpe:/a:avaya:aura_system_manager:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Avaya Aura Application Enablement Services Avaya	`cpe:/a:avaya:aura_application_enablement_services:-`	—
Hitachi Command Suite Hitachi	`cpe:/a:hitachi:command_suite:-`	—
Avaya Aura Session Manager Avaya	`cpe:/a:avaya:session_manager:-`	—
Avaya Aura Communication Manager Avaya	`cpe:/a:avaya:communication_manager:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Avaya Web License Manager Avaya	`cpe:/a:avaya:web_license_manager:-`	—
QNAP NAS QNAP	`cpe:/h:qnap:nas:-`	—
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
F5 BIG-IP F5 / BIG-IP	`cpe:/a:f5:big-ip:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—

CVE-2022-22720

Affected products

Known affected 18 products

Product	Identifier	Version
IBM Rational Build Forge IBM	`cpe:/a:ibm:rational_build_forge:-`	—
Avaya Aura Experience Portal Avaya	`cpe:/a:avaya:aura_experience_portal:-`	—
Avaya Aura System Manager Avaya	`cpe:/a:avaya:aura_system_manager:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Avaya Aura Application Enablement Services Avaya	`cpe:/a:avaya:aura_application_enablement_services:-`	—
Hitachi Command Suite Hitachi	`cpe:/a:hitachi:command_suite:-`	—
Avaya Aura Session Manager Avaya	`cpe:/a:avaya:session_manager:-`	—
Avaya Aura Communication Manager Avaya	`cpe:/a:avaya:communication_manager:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Avaya Web License Manager Avaya	`cpe:/a:avaya:web_license_manager:-`	—
QNAP NAS QNAP	`cpe:/h:qnap:nas:-`	—
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
F5 BIG-IP F5 / BIG-IP	`cpe:/a:f5:big-ip:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—

CVE-2022-22719

Affected products

Known affected 18 products

Product	Identifier	Version
IBM Rational Build Forge IBM	`cpe:/a:ibm:rational_build_forge:-`	—
Avaya Aura Experience Portal Avaya	`cpe:/a:avaya:aura_experience_portal:-`	—
Avaya Aura System Manager Avaya	`cpe:/a:avaya:aura_system_manager:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Avaya Aura Application Enablement Services Avaya	`cpe:/a:avaya:aura_application_enablement_services:-`	—
Hitachi Command Suite Hitachi	`cpe:/a:hitachi:command_suite:-`	—
Avaya Aura Session Manager Avaya	`cpe:/a:avaya:session_manager:-`	—
Avaya Aura Communication Manager Avaya	`cpe:/a:avaya:communication_manager:-`	—
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
Avaya Web License Manager Avaya	`cpe:/a:avaya:web_license_manager:-`	—
QNAP NAS QNAP	`cpe:/h:qnap:nas:-`	—
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
F5 BIG-IP F5 / BIG-IP	`cpe:/a:f5:big-ip:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—

References

49 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.ibm.com/support/pages/node/7056039	external
https://my.f5.com/manage/s/article/K67090077	external
https://httpd.apache.org/security/vulnerabilities…	external
https://ubuntu.com/security/notices/USN-5333-1	external
https://ubuntu.com/security/notices/USN-5333-2	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.debian.org/debian-lts-announce/2022…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
http://linux.oracle.com/errata/ELSA-2022-1049.html	external
http://linux.oracle.com/errata/ELSA-2022-1045.html	external
https://access.redhat.com/errata/RHSA-2022:1045	external
https://access.redhat.com/errata/RHSA-2022:1049	external
https://downloads.avaya.com/css/P8/documents/101081052	external
https://access.redhat.com/errata/RHSA-2022:1075	external
https://access.redhat.com/errata/RHSA-2022:1080	external
https://access.redhat.com/errata/RHSA-2022:1072	external
https://lists.centos.org/pipermail/centos-announc…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://access.redhat.com/errata/RHSA-2022:1102	external
https://linux.oracle.com/errata/ELSA-2022-9257.html	external
https://access.redhat.com/errata/RHSA-2022:1138	external
https://access.redhat.com/errata/RHSA-2022:1136	external
https://access.redhat.com/errata/RHSA-2022:1137	external
https://downloads.avaya.com/css/P8/documents/101081144	external
https://access.redhat.com/errata/RHSA-2022:1139	external
https://access.redhat.com/errata/RHSA-2022:1173	external
https://access.redhat.com/errata/RHSA-2022:1389	external
https://access.redhat.com/errata/RHSA-2022:1390	external
https://alas.aws.amazon.com/AL2022/ALAS-2022-053.html	external
https://www.qnap.com/go/security-advisory/qsa-22-11	external
https://alas.aws.amazon.com/AL2/ALAS-2022-1783.html	external
https://alas.aws.amazon.com/ALAS-2022-1584.html	external
https://support.f5.com/csp/article/K67090077	external
https://www.ibm.com/blogs/psirt/security-bulletin…	external
https://www.ibm.com/blogs/psirt/security-bulletin…	external
http://linux.oracle.com/errata/ELSA-2022-9676.html	external
https://security.gentoo.org/glsa/202208-20	external
https://www.hitachi.co.jp/Prod/comp/soft1/global/…	external
https://access.redhat.com/errata/RHSA-2022:6753	external
https://access.redhat.com/errata/RHSA-2022:7647	external
https://linux.oracle.com/errata/ELSA-2022-7647.html	external
https://access.redhat.com/errata/RHSA-2022:8067	external
https://linux.oracle.com/errata/ELSA-2022-8067.html	external
https://access.redhat.com/errata/RHSA-2022:8841	external
https://access.redhat.com/errata/RHSA-2022:8840	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache ist ein Webserver f\u00fcr verschiedene Plattformen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache HTTP Server ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- MacOS X\n- Windows\n- F5 Networks\n- Sonstiges\n- Hardware Appliance",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-0646 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-0646.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-0646 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0646"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7056039 vom 2023-10-19",
        "url": "https://www.ibm.com/support/pages/node/7056039"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory K67090077 vom 2023-06-22",
        "url": "https://my.f5.com/manage/s/article/K67090077"
      },
      {
        "category": "external",
        "summary": "Apache Security Advisory vom 2022-03-13",
        "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-5333-1 vom 2022-03-17",
        "url": "https://ubuntu.com/security/notices/USN-5333-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-5333-2 vom 2022-03-17",
        "url": "https://ubuntu.com/security/notices/USN-5333-2"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:0928-1 vom 2022-03-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-March/010496.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:0918-1 vom 2022-03-21",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-March/010494.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:14924-1 vom 2022-03-21",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-March/010491.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-2960 vom 2022-03-22",
        "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:0929-1 vom 2022-03-22",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-March/010499.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2022-1049 vom 2022-03-25",
        "url": "http://linux.oracle.com/errata/ELSA-2022-1049.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2022-1045 vom 2022-03-24",
        "url": "http://linux.oracle.com/errata/ELSA-2022-1045.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1045 vom 2022-03-24",
        "url": "https://access.redhat.com/errata/RHSA-2022:1045"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1049 vom 2022-03-24",
        "url": "https://access.redhat.com/errata/RHSA-2022:1049"
      },
      {
        "category": "external",
        "summary": "AVAYA Security Advisory ASA-2022-035 vom 2022-03-25",
        "url": "https://downloads.avaya.com/css/P8/documents/101081052"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1075 vom 2022-03-28",
        "url": "https://access.redhat.com/errata/RHSA-2022:1075"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1080 vom 2022-03-28",
        "url": "https://access.redhat.com/errata/RHSA-2022:1080"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1072 vom 2022-03-28",
        "url": "https://access.redhat.com/errata/RHSA-2022:1072"
      },
      {
        "category": "external",
        "summary": "CentOS Security Advisory CESA-2022:1045 vom 2022-03-29",
        "url": "https://lists.centos.org/pipermail/centos-announce/2022-March/073576.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:1031-1 vom 2022-03-29",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-March/010563.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1102 vom 2022-03-29",
        "url": "https://access.redhat.com/errata/RHSA-2022:1102"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2022-9257 vom 2022-03-31",
        "url": "https://linux.oracle.com/errata/ELSA-2022-9257.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1138 vom 2022-04-02",
        "url": "https://access.redhat.com/errata/RHSA-2022:1138"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1136 vom 2022-04-02",
        "url": "https://access.redhat.com/errata/RHSA-2022:1136"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1137 vom 2022-04-02",
        "url": "https://access.redhat.com/errata/RHSA-2022:1137"
      },
      {
        "category": "external",
        "summary": "AVAYA Security Advisory ASA-2022-034 vom 2022-03-31",
        "url": "https://downloads.avaya.com/css/P8/documents/101081144"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1139 vom 2022-04-02",
        "url": "https://access.redhat.com/errata/RHSA-2022:1139"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1173 vom 2022-04-04",
        "url": "https://access.redhat.com/errata/RHSA-2022:1173"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1389 vom 2022-04-21",
        "url": "https://access.redhat.com/errata/RHSA-2022:1389"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:1390 vom 2022-04-21",
        "url": "https://access.redhat.com/errata/RHSA-2022:1390"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2022-053 vom 2022-04-22",
        "url": "https://alas.aws.amazon.com/AL2022/ALAS-2022-053.html"
      },
      {
        "category": "external",
        "summary": "QNAP Security Advisory QSA-22-11 vom 2022-04-23",
        "url": "https://www.qnap.com/go/security-advisory/qsa-22-11"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2022-1783 vom 2022-04-27",
        "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1783.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS-2022-1584 vom 2022-04-29",
        "url": "https://alas.aws.amazon.com/ALAS-2022-1584.html"
      },
      {
        "category": "external",
        "summary": "F5 Security Advisory K67090077 vom 2022-05-13",
        "url": "https://support.f5.com/csp/article/K67090077"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 6602977 vom 2022-07-13",
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-is-affected-by-apache-http-server-version-used-in-it-cve-2022-22721/"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 6602999 vom 2022-07-13",
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-is-affected-by-apache-http-server-version-used-in-it-cve-2022-22719/"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2022-9676 vom 2022-08-04",
        "url": "http://linux.oracle.com/errata/ELSA-2022-9676.html"
      },
      {
        "category": "external",
        "summary": "Gentoo Linux Security Advisory GLSA-202208-20 vom 2022-08-14",
        "url": "https://security.gentoo.org/glsa/202208-20"
      },
      {
        "category": "external",
        "summary": "Hitachi Vulnerability Information HITACHI-SEC-2022-128 vom 2022-08-30",
        "url": "https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-128/index.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:6753 vom 2022-09-29",
        "url": "https://access.redhat.com/errata/RHSA-2022:6753"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:7647 vom 2022-11-08",
        "url": "https://access.redhat.com/errata/RHSA-2022:7647"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2022-7647 vom 2022-11-15",
        "url": "https://linux.oracle.com/errata/ELSA-2022-7647.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:8067 vom 2022-11-15",
        "url": "https://access.redhat.com/errata/RHSA-2022:8067"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2022-8067 vom 2022-11-22",
        "url": "https://linux.oracle.com/errata/ELSA-2022-8067.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:8841 vom 2022-12-08",
        "url": "https://access.redhat.com/errata/RHSA-2022:8841"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2022:8840 vom 2022-12-08",
        "url": "https://access.redhat.com/errata/RHSA-2022:8840"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache HTTP Server: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2023-10-19T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:31:31.424+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2022-0646",
      "initial_release_date": "2022-03-13T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-03-13T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2022-03-15T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: 2064320, 2064319, 2064322, 2064321"
        },
        {
          "date": "2022-03-17T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2022-03-20T23:00:00.000+00:00",
          "number": "4",
          "summary": "Referenz(en) aufgenommen: FEDORA-2022-21264EC6DB, FEDORA-2022-78E3211C55, FEDORA-2022-B4103753E9"
        },
        {
          "date": "2022-03-21T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-03-22T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-03-24T23:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Oracle Linux und Red Hat aufgenommen"
        },
        {
          "date": "2022-03-27T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von AVAYA aufgenommen"
        },
        {
          "date": "2022-03-28T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-03-29T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von CentOS, SUSE und Red Hat aufgenommen"
        },
        {
          "date": "2022-03-31T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2022-04-03T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Red Hat und AVAYA aufgenommen"
        },
        {
          "date": "2022-04-20T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-04-24T22:00:00.000+00:00",
          "number": "14",
          "summary": "Neue Updates von Amazon und QNAP aufgenommen"
        },
        {
          "date": "2022-04-27T22:00:00.000+00:00",
          "number": "15",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2022-04-28T22:00:00.000+00:00",
          "number": "16",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2022-05-15T22:00:00.000+00:00",
          "number": "17",
          "summary": "Neue Informationen von F5 aufgenommen"
        },
        {
          "date": "2022-07-12T22:00:00.000+00:00",
          "number": "18",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2022-08-04T22:00:00.000+00:00",
          "number": "19",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2022-08-14T22:00:00.000+00:00",
          "number": "20",
          "summary": "Neue Updates von Gentoo aufgenommen"
        },
        {
          "date": "2022-08-29T22:00:00.000+00:00",
          "number": "21",
          "summary": "Neue Updates von HITACHI aufgenommen"
        },
        {
          "date": "2022-09-29T22:00:00.000+00:00",
          "number": "22",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-11-08T23:00:00.000+00:00",
          "number": "23",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2022-11-15T23:00:00.000+00:00",
          "number": "24",
          "summary": "Neue Updates von Oracle Linux und Red Hat aufgenommen"
        },
        {
          "date": "2022-11-21T23:00:00.000+00:00",
          "number": "25",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2022-12-08T23:00:00.000+00:00",
          "number": "26",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-06-22T22:00:00.000+00:00",
          "number": "27",
          "summary": "Neue Updates von F5 aufgenommen"
        },
        {
          "date": "2023-10-19T22:00:00.000+00:00",
          "number": "28",
          "summary": "Neue Updates von IBM aufgenommen"
        }
      ],
      "status": "final",
      "version": "28"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Apache HTTP Server \u003c 2.4.53",
            "product": {
              "name": "Apache HTTP Server \u003c 2.4.53",
              "product_id": "T022323",
              "product_identification_helper": {
                "cpe": "cpe:/a:apache:http_server:2.4.53"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Apache"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Avaya Aura Application Enablement Services",
            "product": {
              "name": "Avaya Aura Application Enablement Services",
              "product_id": "T015516",
              "product_identification_helper": {
                "cpe": "cpe:/a:avaya:aura_application_enablement_services:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Avaya Aura Communication Manager",
            "product": {
              "name": "Avaya Aura Communication Manager",
              "product_id": "T015126",
              "product_identification_helper": {
                "cpe": "cpe:/a:avaya:communication_manager:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Avaya Aura Experience Portal",
            "product": {
              "name": "Avaya Aura Experience Portal",
              "product_id": "T015519",
              "product_identification_helper": {
                "cpe": "cpe:/a:avaya:aura_experience_portal:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Avaya Aura Session Manager",
            "product": {
              "name": "Avaya Aura Session Manager",
              "product_id": "T015127",
              "product_identification_helper": {
                "cpe": "cpe:/a:avaya:session_manager:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Avaya Aura System Manager",
            "product": {
              "name": "Avaya Aura System Manager",
              "product_id": "T015518",
              "product_identification_helper": {
                "cpe": "cpe:/a:avaya:aura_system_manager:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Avaya Web License Manager",
            "product": {
              "name": "Avaya Web License Manager",
              "product_id": "T016243",
              "product_identification_helper": {
                "cpe": "cpe:/a:avaya:web_license_manager:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Avaya"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "F5 BIG-IP",
                "product": {
                  "name": "F5 BIG-IP",
                  "product_id": "T001663",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:f5:big-ip:-"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "F5 BIG-IP \u003c 15.1.9",
                "product": {
                  "name": "F5 BIG-IP \u003c 15.1.9",
                  "product_id": "T028287",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:f5:big-ip:15.1.9"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "BIG-IP"
          }
        ],
        "category": "vendor",
        "name": "F5"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Gentoo Linux",
            "product": {
              "name": "Gentoo Linux",
              "product_id": "T012167",
              "product_identification_helper": {
                "cpe": "cpe:/o:gentoo:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Gentoo"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Hitachi Command Suite",
            "product": {
              "name": "Hitachi Command Suite",
              "product_id": "T010951",
              "product_identification_helper": {
                "cpe": "cpe:/a:hitachi:command_suite:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Hitachi"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM Rational Build Forge",
            "product": {
              "name": "IBM Rational Build Forge",
              "product_id": "T004089",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:rational_build_forge:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source CentOS",
            "product": {
              "name": "Open Source CentOS",
              "product_id": "1727",
              "product_identification_helper": {
                "cpe": "cpe:/o:centos:centos:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "QNAP NAS",
            "product": {
              "name": "QNAP NAS",
              "product_id": "T017100",
              "product_identification_helper": {
                "cpe": "cpe:/h:qnap:nas:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "QNAP"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-23943",
      "notes": [
        {
          "category": "description",
          "text": "In Apache HTTP Server existieren mehrere Schwachstellen. Die Schwachstellen sind auf die Nutzung einer nicht initialisierten Variablen, Fehler beim Schlie\u00dfen von Verbindungen, Puffer\u00fcberl\u00e4ufe sowie Out-of-Bounds-Lese und Schreibfehler zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T004089",
          "T015519",
          "T015518",
          "67646",
          "T015516",
          "T010951",
          "T015127",
          "T015126",
          "T012167",
          "T004914",
          "T016243",
          "T017100",
          "2951",
          "T002207",
          "T000126",
          "T001663",
          "398363",
          "1727"
        ]
      },
      "release_date": "2022-03-13T23:00:00.000+00:00",
      "title": "CVE-2022-23943"
    },
    {
      "cve": "CVE-2022-22721",
      "notes": [
        {
          "category": "description",
          "text": "In Apache HTTP Server existieren mehrere Schwachstellen. Die Schwachstellen sind auf die Nutzung einer nicht initialisierten Variablen, Fehler beim Schlie\u00dfen von Verbindungen, Puffer\u00fcberl\u00e4ufe sowie Out-of-Bounds-Lese und Schreibfehler zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T004089",
          "T015519",
          "T015518",
          "67646",
          "T015516",
          "T010951",
          "T015127",
          "T015126",
          "T012167",
          "T004914",
          "T016243",
          "T017100",
          "2951",
          "T002207",
          "T000126",
          "T001663",
          "398363",
          "1727"
        ]
      },
      "release_date": "2022-03-13T23:00:00.000+00:00",
      "title": "CVE-2022-22721"
    },
    {
      "cve": "CVE-2022-22720",
      "notes": [
        {
          "category": "description",
          "text": "In Apache HTTP Server existieren mehrere Schwachstellen. Die Schwachstellen sind auf die Nutzung einer nicht initialisierten Variablen, Fehler beim Schlie\u00dfen von Verbindungen, Puffer\u00fcberl\u00e4ufe sowie Out-of-Bounds-Lese und Schreibfehler zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T004089",
          "T015519",
          "T015518",
          "67646",
          "T015516",
          "T010951",
          "T015127",
          "T015126",
          "T012167",
          "T004914",
          "T016243",
          "T017100",
          "2951",
          "T002207",
          "T000126",
          "T001663",
          "398363",
          "1727"
        ]
      },
      "release_date": "2022-03-13T23:00:00.000+00:00",
      "title": "CVE-2022-22720"
    },
    {
      "cve": "CVE-2022-22719",
      "notes": [
        {
          "category": "description",
          "text": "In Apache HTTP Server existieren mehrere Schwachstellen. Die Schwachstellen sind auf die Nutzung einer nicht initialisierten Variablen, Fehler beim Schlie\u00dfen von Verbindungen, Puffer\u00fcberl\u00e4ufe sowie Out-of-Bounds-Lese und Schreibfehler zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T004089",
          "T015519",
          "T015518",
          "67646",
          "T015516",
          "T010951",
          "T015127",
          "T015126",
          "T012167",
          "T004914",
          "T016243",
          "T017100",
          "2951",
          "T002207",
          "T000126",
          "T001663",
          "398363",
          "1727"
        ]
      },
      "release_date": "2022-03-13T23:00:00.000+00:00",
      "title": "CVE-2022-22719"
    }
  ]
}

CVE-2022-22719 (GCVE-0-2022-22719)

Vulnerability from cvelistv5 – Published: 2022-03-14 10:15 – Updated: 2024-08-03 03:21

Title

mod_lua Use of uninitialized value of in r:parsebody

Summary

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.

Severity

No CVSS data available.

CWE

CWE-665 - Improper Initialization

Assigner

apache

References

15 references

URL	Tags
https://httpd.apache.org/security/vulnerabilities…	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/03/14/4	mailing-listx_refsource_MLIST
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.debian.org/debian-lts-announce/2022…	mailing-listx_refsource_MLIST
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
https://security.netapp.com/advisory/ntap-2022032…	x_refsource_CONFIRM
https://support.apple.com/kb/HT213257	x_refsource_CONFIRM
https://support.apple.com/kb/HT213256	x_refsource_CONFIRM
https://support.apple.com/kb/HT213255	x_refsource_CONFIRM
http://seclists.org/fulldisclosure/2022/May/33	mailing-listx_refsource_FULLDISC
http://seclists.org/fulldisclosure/2022/May/35	mailing-listx_refsource_FULLDISC
http://seclists.org/fulldisclosure/2022/May/38	mailing-listx_refsource_FULLDISC
https://security.gentoo.org/glsa/202208-20	vendor-advisoryx_refsource_GENTOO

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache HTTP Server	Affected: Apache HTTP Server 2.4 , ≤ 2.4.52 (custom)

Credits

Chamal De Silva

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:21:49.091Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
          },
          {
            "name": "[oss-security] 20220314 CVE-2022-22719: Apache HTTP Server: mod_lua Use of uninitialized value of in r:parsebody",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/03/14/4"
          },
          {
            "name": "FEDORA-2022-b4103753e9",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"
          },
          {
            "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html"
          },
          {
            "name": "FEDORA-2022-21264ec6db",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"
          },
          {
            "name": "FEDORA-2022-78e3211c55",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220321-0001/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT213257"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT213256"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT213255"
          },
          {
            "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/May/33"
          },
          {
            "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/May/35"
          },
          {
            "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/May/38"
          },
          {
            "name": "GLSA-202208-20",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-20"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.52",
              "status": "affected",
              "version": "Apache HTTP Server 2.4",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Chamal De Silva"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "moderate"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-665",
              "description": "CWE-665 Improper Initialization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-14T01:07:27.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        },
        {
          "name": "[oss-security] 20220314 CVE-2022-22719: Apache HTTP Server: mod_lua Use of uninitialized value of in r:parsebody",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/03/14/4"
        },
        {
          "name": "FEDORA-2022-b4103753e9",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"
        },
        {
          "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html"
        },
        {
          "name": "FEDORA-2022-21264ec6db",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"
        },
        {
          "name": "FEDORA-2022-78e3211c55",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220321-0001/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT213257"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT213256"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT213255"
        },
        {
          "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/May/33"
        },
        {
          "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/May/35"
        },
        {
          "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/May/38"
        },
        {
          "name": "GLSA-202208-20",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-20"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2021-12-18T00:00:00.000Z",
          "value": "Reported to security team"
        }
      ],
      "title": "mod_lua Use of uninitialized value of in r:parsebody",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-22719",
          "STATE": "PUBLIC",
          "TITLE": "mod_lua Use of uninitialized value of in r:parsebody"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache HTTP Server",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache HTTP Server 2.4",
                            "version_value": "2.4.52"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Chamal De Silva"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "moderate"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-665 Improper Initialization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://httpd.apache.org/security/vulnerabilities_24.html",
              "refsource": "MISC",
              "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
            },
            {
              "name": "[oss-security] 20220314 CVE-2022-22719: Apache HTTP Server: mod_lua Use of uninitialized value of in r:parsebody",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/03/14/4"
            },
            {
              "name": "FEDORA-2022-b4103753e9",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"
            },
            {
              "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html"
            },
            {
              "name": "FEDORA-2022-21264ec6db",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"
            },
            {
              "name": "FEDORA-2022-78e3211c55",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220321-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220321-0001/"
            },
            {
              "name": "https://support.apple.com/kb/HT213257",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT213257"
            },
            {
              "name": "https://support.apple.com/kb/HT213256",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT213256"
            },
            {
              "name": "https://support.apple.com/kb/HT213255",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT213255"
            },
            {
              "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2022/May/33"
            },
            {
              "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2022/May/35"
            },
            {
              "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2022/May/38"
            },
            {
              "name": "GLSA-202208-20",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-20"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2021-12-18T00:00:00.000Z",
            "value": "Reported to security team"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-22719",
    "datePublished": "2022-03-14T10:15:16.000Z",
    "dateReserved": "2022-01-06T00:00:00.000Z",
    "dateUpdated": "2024-08-03T03:21:49.091Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-22720 (GCVE-0-2022-22720)

Vulnerability from cvelistv5 – Published: 2022-03-14 10:15 – Updated: 2024-08-03 03:21

Title

HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier

Summary

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

Severity

No CVSS data available.

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Assigner

apache

References

16 references

URL	Tags
https://httpd.apache.org/security/vulnerabilities…	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/03/14/3	mailing-listx_refsource_MLIST
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.debian.org/debian-lts-announce/2022…	mailing-listx_refsource_MLIST
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
https://security.netapp.com/advisory/ntap-2022032…	x_refsource_CONFIRM
http://seclists.org/fulldisclosure/2022/May/33	mailing-listx_refsource_FULLDISC
http://seclists.org/fulldisclosure/2022/May/35	mailing-listx_refsource_FULLDISC
http://seclists.org/fulldisclosure/2022/May/38	mailing-listx_refsource_FULLDISC
https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC
https://support.apple.com/kb/HT213257	x_refsource_CONFIRM
https://support.apple.com/kb/HT213256	x_refsource_CONFIRM
https://support.apple.com/kb/HT213255	x_refsource_CONFIRM
https://security.gentoo.org/glsa/202208-20	vendor-advisoryx_refsource_GENTOO

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache HTTP Server	Affected: Apache HTTP Server 2.4 , ≤ 2.4.52 (custom)

Credits

James Kettle <james.kettle portswigger.net>

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:21:48.980Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
          },
          {
            "name": "[oss-security] 20220314 CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/03/14/3"
          },
          {
            "name": "FEDORA-2022-b4103753e9",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"
          },
          {
            "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html"
          },
          {
            "name": "FEDORA-2022-21264ec6db",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"
          },
          {
            "name": "FEDORA-2022-78e3211c55",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220321-0001/"
          },
          {
            "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/May/33"
          },
          {
            "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/May/35"
          },
          {
            "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/May/38"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT213257"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT213256"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT213255"
          },
          {
            "name": "GLSA-202208-20",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-20"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.52",
              "status": "affected",
              "version": "Apache HTTP Server 2.4",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "James Kettle \u003cjames.kettle portswigger.net\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "important"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-14T01:07:14.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        },
        {
          "name": "[oss-security] 20220314 CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/03/14/3"
        },
        {
          "name": "FEDORA-2022-b4103753e9",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"
        },
        {
          "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html"
        },
        {
          "name": "FEDORA-2022-21264ec6db",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"
        },
        {
          "name": "FEDORA-2022-78e3211c55",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220321-0001/"
        },
        {
          "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/May/33"
        },
        {
          "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/May/35"
        },
        {
          "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/May/38"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT213257"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT213256"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT213255"
        },
        {
          "name": "GLSA-202208-20",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-20"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-22720",
          "STATE": "PUBLIC",
          "TITLE": "HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache HTTP Server",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache HTTP Server 2.4",
                            "version_value": "2.4.52"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "James Kettle \u003cjames.kettle portswigger.net\u003e"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling"
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "important"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://httpd.apache.org/security/vulnerabilities_24.html",
              "refsource": "MISC",
              "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
            },
            {
              "name": "[oss-security] 20220314 CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/03/14/3"
            },
            {
              "name": "FEDORA-2022-b4103753e9",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"
            },
            {
              "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html"
            },
            {
              "name": "FEDORA-2022-21264ec6db",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"
            },
            {
              "name": "FEDORA-2022-78e3211c55",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220321-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220321-0001/"
            },
            {
              "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2022/May/33"
            },
            {
              "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2022/May/35"
            },
            {
              "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2022/May/38"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "https://support.apple.com/kb/HT213257",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT213257"
            },
            {
              "name": "https://support.apple.com/kb/HT213256",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT213256"
            },
            {
              "name": "https://support.apple.com/kb/HT213255",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT213255"
            },
            {
              "name": "GLSA-202208-20",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-20"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-22720",
    "datePublished": "2022-03-14T10:15:29.000Z",
    "dateReserved": "2022-01-06T00:00:00.000Z",
    "dateUpdated": "2024-08-03T03:21:48.980Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-22721 (GCVE-0-2022-22721)

Vulnerability from cvelistv5 – Published: 2022-03-14 10:15 – Updated: 2024-08-03 03:21

Title

core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody

Summary

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

Severity

No CVSS data available.

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

apache

References

16 references

URL	Tags
https://httpd.apache.org/security/vulnerabilities…	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/03/14/2	mailing-listx_refsource_MLIST
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.debian.org/debian-lts-announce/2022…	mailing-listx_refsource_MLIST
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
https://security.netapp.com/advisory/ntap-2022032…	x_refsource_CONFIRM
http://seclists.org/fulldisclosure/2022/May/33	mailing-listx_refsource_FULLDISC
http://seclists.org/fulldisclosure/2022/May/35	mailing-listx_refsource_FULLDISC
http://seclists.org/fulldisclosure/2022/May/38	mailing-listx_refsource_FULLDISC
https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC
https://support.apple.com/kb/HT213257	x_refsource_CONFIRM
https://support.apple.com/kb/HT213256	x_refsource_CONFIRM
https://support.apple.com/kb/HT213255	x_refsource_CONFIRM
https://security.gentoo.org/glsa/202208-20	vendor-advisoryx_refsource_GENTOO

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache HTTP Server	Affected: Apache HTTP Server 2.4 , ≤ 2.4.52 (custom)

Credits

Anonymous working with Trend Micro Zero Day Initiative

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:21:48.950Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
          },
          {
            "name": "[oss-security] 20220314 CVE-2022-22721: Apache HTTP Server: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/03/14/2"
          },
          {
            "name": "FEDORA-2022-b4103753e9",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"
          },
          {
            "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html"
          },
          {
            "name": "FEDORA-2022-21264ec6db",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"
          },
          {
            "name": "FEDORA-2022-78e3211c55",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220321-0001/"
          },
          {
            "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/May/33"
          },
          {
            "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/May/35"
          },
          {
            "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/May/38"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT213257"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT213256"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT213255"
          },
          {
            "name": "GLSA-202208-20",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-20"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.52",
              "status": "affected",
              "version": "Apache HTTP Server 2.4",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Anonymous working with Trend Micro Zero Day Initiative"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "low"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190 Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-14T01:07:45.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        },
        {
          "name": "[oss-security] 20220314 CVE-2022-22721: Apache HTTP Server: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/03/14/2"
        },
        {
          "name": "FEDORA-2022-b4103753e9",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"
        },
        {
          "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html"
        },
        {
          "name": "FEDORA-2022-21264ec6db",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"
        },
        {
          "name": "FEDORA-2022-78e3211c55",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220321-0001/"
        },
        {
          "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/May/33"
        },
        {
          "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/May/35"
        },
        {
          "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/May/38"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT213257"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT213256"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT213255"
        },
        {
          "name": "GLSA-202208-20",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-20"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2021-12-16T00:00:00.000Z",
          "value": "Reported to security team"
        }
      ],
      "title": "core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-22721",
          "STATE": "PUBLIC",
          "TITLE": "core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache HTTP Server",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache HTTP Server 2.4",
                            "version_value": "2.4.52"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Anonymous working with Trend Micro Zero Day Initiative"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "low"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-190 Integer Overflow or Wraparound"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://httpd.apache.org/security/vulnerabilities_24.html",
              "refsource": "MISC",
              "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
            },
            {
              "name": "[oss-security] 20220314 CVE-2022-22721: Apache HTTP Server: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/03/14/2"
            },
            {
              "name": "FEDORA-2022-b4103753e9",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"
            },
            {
              "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html"
            },
            {
              "name": "FEDORA-2022-21264ec6db",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"
            },
            {
              "name": "FEDORA-2022-78e3211c55",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220321-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220321-0001/"
            },
            {
              "name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2022/May/33"
            },
            {
              "name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2022/May/35"
            },
            {
              "name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2022/May/38"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "https://support.apple.com/kb/HT213257",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT213257"
            },
            {
              "name": "https://support.apple.com/kb/HT213256",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT213256"
            },
            {
              "name": "https://support.apple.com/kb/HT213255",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT213255"
            },
            {
              "name": "GLSA-202208-20",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-20"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2021-12-16T00:00:00.000Z",
            "value": "Reported to security team"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-22721",
    "datePublished": "2022-03-14T10:15:40.000Z",
    "dateReserved": "2022-01-06T00:00:00.000Z",
    "dateUpdated": "2024-08-03T03:21:48.950Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-23943 (GCVE-0-2022-23943)

Vulnerability from cvelistv5 – Published: 2022-03-14 10:15 – Updated: 2024-08-03 03:59

Title

mod_sed: Read/write beyond bounds

Summary

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.

Severity

No CVSS data available.

CWE

CWE-787 - Out-of-bounds Write
CWE-190 - Integer Overflow or Wraparound

Assigner

apache

References

11 references

URL	Tags
https://httpd.apache.org/security/vulnerabilities…	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/03/14/1	mailing-listx_refsource_MLIST
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.debian.org/debian-lts-announce/2022…	mailing-listx_refsource_MLIST
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
https://www.tenable.com/security/tns-2022-08	x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-2022032…	x_refsource_CONFIRM
https://www.tenable.com/security/tns-2022-09	x_refsource_CONFIRM
https://security.gentoo.org/glsa/202208-20	vendor-advisoryx_refsource_GENTOO

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache HTTP Server	Affected: 2.4 , ≤ 2.4.52 (custom)

Credits

Ronald Crane (Zippenhop LLC)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:59:23.156Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
          },
          {
            "name": "[oss-security] 20220314 CVE-2022-23943: Apache HTTP Server: mod_sed: Read/write beyond bounds",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/03/14/1"
          },
          {
            "name": "FEDORA-2022-b4103753e9",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"
          },
          {
            "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html"
          },
          {
            "name": "FEDORA-2022-21264ec6db",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"
          },
          {
            "name": "FEDORA-2022-78e3211c55",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/tns-2022-08"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220321-0001/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/tns-2022-09"
          },
          {
            "name": "GLSA-202208-20",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-20"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.52",
              "status": "affected",
              "version": "2.4",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Ronald Crane (Zippenhop LLC)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "important"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190 Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-14T01:07:51.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        },
        {
          "name": "[oss-security] 20220314 CVE-2022-23943: Apache HTTP Server: mod_sed: Read/write beyond bounds",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/03/14/1"
        },
        {
          "name": "FEDORA-2022-b4103753e9",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"
        },
        {
          "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html"
        },
        {
          "name": "FEDORA-2022-21264ec6db",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"
        },
        {
          "name": "FEDORA-2022-78e3211c55",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.tenable.com/security/tns-2022-08"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220321-0001/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.tenable.com/security/tns-2022-09"
        },
        {
          "name": "GLSA-202208-20",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-20"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2022-01-13T00:00:00.000Z",
          "value": "Reported to security team"
        }
      ],
      "title": "mod_sed: Read/write beyond bounds",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-23943",
          "STATE": "PUBLIC",
          "TITLE": "mod_sed: Read/write beyond bounds"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache HTTP Server",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "2.4",
                            "version_value": "2.4.52"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Ronald Crane (Zippenhop LLC)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "important"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-787 Out-of-bounds Write"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-190 Integer Overflow or Wraparound"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://httpd.apache.org/security/vulnerabilities_24.html",
              "refsource": "MISC",
              "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
            },
            {
              "name": "[oss-security] 20220314 CVE-2022-23943: Apache HTTP Server: mod_sed: Read/write beyond bounds",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/03/14/1"
            },
            {
              "name": "FEDORA-2022-b4103753e9",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"
            },
            {
              "name": "[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html"
            },
            {
              "name": "FEDORA-2022-21264ec6db",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"
            },
            {
              "name": "FEDORA-2022-78e3211c55",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://www.tenable.com/security/tns-2022-08",
              "refsource": "CONFIRM",
              "url": "https://www.tenable.com/security/tns-2022-08"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220321-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220321-0001/"
            },
            {
              "name": "https://www.tenable.com/security/tns-2022-09",
              "refsource": "CONFIRM",
              "url": "https://www.tenable.com/security/tns-2022-09"
            },
            {
              "name": "GLSA-202208-20",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-20"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2022-01-13T00:00:00.000Z",
            "value": "Reported to security team"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-23943",
    "datePublished": "2022-03-14T10:15:54.000Z",
    "dateReserved": "2022-01-25T00:00:00.000Z",
    "dateUpdated": "2024-08-03T03:59:23.156Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2022-0646

CVE-2022-22719 (GCVE-0-2022-22719)

CVE-2022-22720 (GCVE-0-2022-22720)

CVE-2022-22721 (GCVE-0-2022-22721)

CVE-2022-23943 (GCVE-0-2022-23943)

Tags

Sightings

Nomenclature