CVE-2022-36760
Published: 17 January 2023
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
apache2 Launchpad, Ubuntu, Debian |
bionic |
Released
(2.4.29-1ubuntu4.26)
|
| focal |
Released
(2.4.41-4ubuntu3.13)
|
|
| jammy |
Released
(2.4.52-1ubuntu4.3)
|
|
| kinetic |
Released
(2.4.54-2ubuntu1.1)
|
|
| lunar |
Released
(2.4.55-1ubuntu1)
|
|
| mantic |
Released
(2.4.55-1ubuntu1)
|
|
| trusty |
Needed
|
|
| upstream |
Released
(2.4.55-1)
|
|
| xenial |
Released
(2.4.18-2ubuntu3.17+esm8)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
Patches: upstream: https://github.com/apache/httpd/commit/d93e61e3e9622bacff746772cb9c97fdcaed8baf |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.0 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
References
- https://www.openwall.com/lists/oss-security/2023/01/17/6
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-36760
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://ubuntu.com/security/notices/USN-5834-1
- https://ubuntu.com/security/notices/USN-5839-1
- https://www.cve.org/CVERecord?id=CVE-2022-36760
- NVD
- Launchpad
- Debian