CVE-2022-26377

CWE-444 — HTTP Request Smuggling13 documents9 sources

Severity

7.5HIGH

EPSS

39.3%

top 2.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server Fedoraproject Fedora

Timeline

PublishedJun 9

Latest updateJul 9

Description

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDapache/http_server2.4.0 — 2.4.54

▶CVEListV5apache_software_foundation/apache_http_serverApache HTTP Server 2.4 — 2.4.53

▶Debianapache2< 2.4.54-1~deb11u1+3

▶Ubuntuapache2< 2.4.29-1ubuntu4.24+4

Also affects: Fedora 35, 36

🔴Vulnerability Details

OSV

apache2 regression↗2022-06-23

▶

OSV

apache2 regression↗2022-06-23

▶

OSV

apache2 vulnerabilities↗2022-06-21

▶

GHSA

GHSA-gx9q-f765-xrgg: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smu↗2022-06-10

▶

OSV

CVE-2022-26377: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smu↗2022-06-09

▶

📋Vendor Advisories

Ubuntu

Apache HTTP Server regression↗2022-06-23

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2022-06-21

▶

Red Hat

httpd: mod_proxy_ajp: Possible request smuggling↗2022-06-08

▶

Debian

CVE-2022-26377: apache2 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerab...↗2022

▶

📄Research Papers

CTF

where_are_you_from / README↗2022

▶

💬Community

HackerOne

Apache HTTP Server: mod_proxy_ajp: Possible request smuggling↗2022-07-09

▶