CVE-2022-36760

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.2 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://httpd.apache.org/security/vulnerabilities_24.html	Mailing List Vendor Advisory
https://security.gentoo.org/glsa/202309-01
https://httpd.apache.org/security/vulnerabilities_24.html	Mailing List Vendor Advisory
https://security.gentoo.org/glsa/202309-01

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:13

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-01-17 20:15

Updated : 2024-11-21 07:13

NVD link : CVE-2022-36760

Mitre link : CVE-2022-36760

CVE.ORG link : CVE-2022-36760

JSON object : View

Products Affected

apache

http_server

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

{"id": "CVE-2022-36760", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.2}]}, "published": "2023-01-17T20:15:11.580", "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://security.gentoo.org/glsa/202309-01", "source": "security@apache.org"}, {"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202309-01", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad de interpretaci\u00f3n inconsistente de solicitudes HTTP (\"contrabando de solicitudes HTTP\") en mod_proxy_ajp del servidor HTTP Apache permite a un atacante contrabandear solicitudes al servidor AJP al que las reenv\u00eda. Este problema afecta al servidor Apache HTTP Server 2.4 versi\u00f3n 2.4.54 y versiones anteriores."}], "lastModified": "2024-11-21T07:13:39.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0A3B324-BA2F-404C-9E0D-6E810296BEA2", "versionEndExcluding": "2.4.55", "versionStartIncluding": "2.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}