CVE-2022-22720

CWE-444HTTP Request Smuggling15 documents10 sources
Severity
9.8CRITICAL
EPSS
27.5%
top 3.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Apple MacosApache Software Foundation Apache Http ServerApache Http Server+6 more
Timeline
PublishedMar 14
Latest updateAug 25

Description

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages8 packages

NVDapache/http_server2.4.52
CVEListV5apache_software_foundation/apache_http_serverApache HTTP Server 2.42.4.52
NVDoracle/http_server12.2.1.3.0, 12.2.1.4.0+1
Debianapache2< 2.4.53-1~deb11u1+3
NVDapple/macos11.011.6.6+2

Also affects: Debian Linux 9.0, Fedora 34, 35, 36

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

5
OSV
apache2 vulnerabilities2022-03-17
OSV
apache2 vulnerabilities2022-03-17
GHSA
GHSA-2hwm-6xjf-3xmx: Apache HTTP Server 22022-03-15
CVEList
HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier2022-03-14
OSV
CVE-2022-22720: Apache HTTP Server 22022-03-14

📋Vendor Advisories

8
Apple
CVE-2022-22720: macOS Big Sur 11.6.62022-05-16
Apple
CVE-2022-22720: Security Update 2022-004 Catalina2022-05-16
Apple
CVE-2022-22720: macOS Monterey 12.42022-05-16
Ubuntu
Apache HTTP Server vulnerabilities2022-03-17
Ubuntu
Apache HTTP Server vulnerabilities2022-03-17

💬Community

1
HackerOne
Pause-based desync in Apache HTTPD2022-08-25