CVE-2022-28331

CWE-190 — Integer Overflow CWE-787 — Out-of-bounds Write7 documents7 sources

Severity

9.8CRITICAL

EPSS

0.3%

top 48.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Portable Runtime (apr)Apache Portable Runtime

Timeline

PublishedJan 31

Description

On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/portable_runtime1.7.0

▶CVEListV5apache_software_foundation/apache_portable_runtime_(apr)1.7.0

▶Alpineapr< 1.7.1-r0+9

🔴Vulnerability Details

GHSA

GHSA-27j5-c395-8j82: On Windows, Apache Portable Runtime 1↗2023-01-31

▶

OSV

CVE-2022-28331: On Windows, Apache Portable Runtime 1↗2023-01-31

▶

CVEList

Apache Portable Runtime (APR): Windows out-of-bounds write in apr_socket_sendv function↗2023-01-31

▶

📋Vendor Advisories

Red Hat

apr: Windows out-of-bounds write in apr_socket_sendv function↗2023-01-31

▶

Microsoft

Apache Portable Runtime (APR): Windows out-of-bounds write in apr_socket_sendv function↗2023-01-10

▶

Debian

CVE-2022-28331: apr - On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end o...↗2022

▶