CVE-2022-28615

CWE-190Integer Overflow9 documents7 sources
Severity
9.1CRITICAL
EPSS
1.1%
top 21.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache Http ServerApache Software Foundation Apache Http ServerFedoraproject Fedora
Timeline
PublishedJun 9
Latest updateJun 23

Description

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

NVDapache/http_server< 2.4.54
CVEListV5apache_software_foundation/apache_http_serverApache HTTP Server2.4.53
Debianapache2< 2.4.54-1~deb11u1+3

Also affects: Fedora 35, 36

🔴Vulnerability Details

4
OSV
apache2 vulnerabilities2022-06-21
GHSA
GHSA-4hj9-gjv4-4363: Apache HTTP Server 22022-06-10
OSV
CVE-2022-28615: Apache HTTP Server 22022-06-09
CVEList
Read beyond bounds in ap_strcmp_match()2022-06-08

📋Vendor Advisories

4
Ubuntu
Apache HTTP Server regression2022-06-23
Ubuntu
Apache HTTP Server vulnerabilities2022-06-21
Red Hat
httpd: Out-of-bounds read in ap_strcmp_match()2022-06-08
Debian
CVE-2022-28615: apache2 - Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a...2022
CVE-2022-28615 (CRITICAL CVSS 9.1) | Apache HTTP Server 2.4.53 and earli | cvebase.io