CVE-2022-23943

CWE-190 — Integer Overflow CWE-787 — Out-of-bounds Write11 documents10 sources

Severity

9.8CRITICAL

EPSS

60.6%

top 1.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server Debian Debian Linux +3 more

Timeline

PublishedMar 14

Latest updateOct 15

Description

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶NVDapache/http_server2.4.0 — 2.4.53

▶CVEListV5apache_software_foundation/apache_http_server2.4 — 2.4.52

▶NVDoracle/http_server12.2.1.3.0, 12.2.1.4.0+1

▶Debianapache2< 2.4.53-1~deb11u1+3

▶NVDoracle/zfs_storage_appliance_kit8.8

Also affects: Debian Linux 9.0, Fedora 34, 35, 36

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-778r-vp3x-2f8c: Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data↗2022-03-15

▶

OSV

CVE-2022-23943: Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data↗2022-03-14

▶

CVEList

mod_sed: Read/write beyond bounds↗2022-03-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (Apache HTTP Server) — CVE-2022-23943↗2022-10-15

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2022-03-17

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2022-03-17

▶

Red Hat

httpd: mod_sed: Read/write beyond bounds↗2022-03-14

▶

Microsoft

mod_sed: Read/write beyond bounds↗2022-03-08

▶