CVE-2022-36760

CWE-444 — HTTP Request Smuggling13 documents9 sources

Severity

9.0CRITICAL

EPSS

0.3%

top 47.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Http Server Apache Software Foundation Apache Http Server

Timeline

PublishedJan 17

Latest updateOct 15

Description

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.2 | Impact: 6.0

Affected Packages4 packages

▶NVDapache/http_server2.4.0 — 2.4.55

▶CVEListV5apache_software_foundation/apache_http_server2.4 — 2.4.54

▶Debianapache2< 2.4.56-1~deb11u1+3

▶Ubuntuapache2< 2.4.29-1ubuntu4.26+2

🔴Vulnerability Details

OSV

apache2 vulnerabilities↗2023-02-01

▶

OSV

apache2 vulnerabilities↗2023-01-31

▶

GHSA

GHSA-hwqh-57w6-xm49: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smu↗2023-01-17

▶

OSV

CVE-2022-36760: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smu↗2023-01-17

▶

CVEList

Apache HTTP Server: mod_proxy_ajp Possible request smuggling↗2023-01-17

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Platform (Apache HTTP Server) — CVE-2022-36760↗2024-10-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (Apache HTTP Server) — CVE-2022-36760↗2023-04-15

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2023-02-01

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2023-01-31

▶

Red Hat

httpd: mod_proxy_ajp: Possible request smuggling↗2023-01-17

▶