CVE-2022-37436

CWE-113CWE-436Interpretation Conflict13 documents10 sources
Severity
5.3MEDIUM
EPSS
0.5%
top 35.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache Http ServerApache Http Server
Timeline
PublishedJan 17
Latest updateOct 15

Description

Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

NVDapache/http_server< 2.4.55
Debianapache2< 2.4.56-1~deb11u1+3
Ubuntuapache2< 2.4.18-2ubuntu3.17+esm9

🔴Vulnerability Details

5
OSV
apache2 vulnerability2023-02-02
OSV
apache2 vulnerabilities2023-02-01
GHSA
GHSA-3f78-wq4j-7vgr: Prior to Apache HTTP Server 22023-01-17
CVEList
Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting2023-01-17
OSV
CVE-2022-37436: Prior to Apache HTTP Server 22023-01-17

📋Vendor Advisories

7
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (Apache HTTP Server) — CVE-2022-374362023-10-15
Ubuntu
Apache HTTP Server vulnerability2023-02-02
Ubuntu
Apache HTTP Server vulnerabilities2023-02-01
Red Hat
httpd: mod_proxy: HTTP response splitting2023-01-17
Microsoft
Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting2023-01-10
CVE-2022-37436 (MEDIUM CVSS 5.3) | Prior to Apache HTTP Server 2.4.55 | cvebase.io