9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.423 Medium
EPSS
Percentile
97.3%
Issue Overview:
An HTTP request smuggling vulnerability was found in the mod_proxy_ajp module of httpd. This flaw allows an attacker to smuggle requests to the AJP server, where it forwards requests. (CVE-2022-26377)
An out-of-bounds read vulnerability was found in the mod_isapi module of httpd. The issue occurs when httpd is configured to process requests with the mod_isapi module. (CVE-2022-28330)
An out-of-bounds read vulnerability was found in httpd. A very large input to the ap_rputs and ap_rwrite functions can lead to an integer overflow and result in an out-of-bounds read. (CVE-2022-28614)
An out-of-bounds read vulnerability was found in httpd. A very large input to the ap_strcmp_match function can lead to an integer overflow and result in an out-of-bounds read. (CVE-2022-28615)
A flaw was found in the mod_lua module of httpd. A malicious request to a Lua script that calls parsebody(0) can lead to a denial of service due to no default limit on the possible input size. (CVE-2022-29404)
A flaw was found in the mod_sed module of httpd. A very large input to the mod_sed module can result in a denial of service due to excessively large memory allocations. (CVE-2022-30522)
A flaw was found in the mod_lua module of httpd. The data returned by the wsread function may point past the end of the storage allocated for the buffer, resulting in information disclosure. (CVE-2022-30556)
A flaw was found in the mod_proxy module of httpd. The server may remove the X-Forwarded-* headers from a request based on the client-side Connection header hop-by-hop mechanism. (CVE-2022-31813)
Affected Packages:
httpd24
Issue Correction:
Run yum update httpd24 to update your system.
New Packages:
i686:
httpd24-tools-2.4.54-1.98.amzn1.i686
mod24_session-2.4.54-1.98.amzn1.i686
mod24_ldap-2.4.54-1.98.amzn1.i686
httpd24-2.4.54-1.98.amzn1.i686
httpd24-debuginfo-2.4.54-1.98.amzn1.i686
httpd24-devel-2.4.54-1.98.amzn1.i686
mod24_ssl-2.4.54-1.98.amzn1.i686
mod24_proxy_html-2.4.54-1.98.amzn1.i686
mod24_md-2.4.54-1.98.amzn1.i686
noarch:
httpd24-manual-2.4.54-1.98.amzn1.noarch
src:
httpd24-2.4.54-1.98.amzn1.src
x86_64:
httpd24-tools-2.4.54-1.98.amzn1.x86_64
mod24_session-2.4.54-1.98.amzn1.x86_64
mod24_ldap-2.4.54-1.98.amzn1.x86_64
httpd24-debuginfo-2.4.54-1.98.amzn1.x86_64
httpd24-2.4.54-1.98.amzn1.x86_64
mod24_md-2.4.54-1.98.amzn1.x86_64
mod24_proxy_html-2.4.54-1.98.amzn1.x86_64
mod24_ssl-2.4.54-1.98.amzn1.x86_64
httpd24-devel-2.4.54-1.98.amzn1.x86_64
Red Hat: CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813
Mitre: CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | httpd24-tools | < 2.4.54-1.98.amzn1 | httpd24-tools-2.4.54-1.98.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | mod24_session | < 2.4.54-1.98.amzn1 | mod24_session-2.4.54-1.98.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | mod24_ldap | < 2.4.54-1.98.amzn1 | mod24_ldap-2.4.54-1.98.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | httpd24 | < 2.4.54-1.98.amzn1 | httpd24-2.4.54-1.98.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | httpd24-debuginfo | < 2.4.54-1.98.amzn1 | httpd24-debuginfo-2.4.54-1.98.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | httpd24-devel | < 2.4.54-1.98.amzn1 | httpd24-devel-2.4.54-1.98.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | mod24_ssl | < 2.4.54-1.98.amzn1 | mod24_ssl-2.4.54-1.98.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | mod24_proxy_html | < 2.4.54-1.98.amzn1 | mod24_proxy_html-2.4.54-1.98.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | mod24_md | < 2.4.54-1.98.amzn1 | mod24_md-2.4.54-1.98.amzn1.i686.rpm |
Amazon Linux | 1 | noarch | httpd24-manual | < 2.4.54-1.98.amzn1 | httpd24-manual-2.4.54-1.98.amzn1.noarch.rpm |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.423 Medium
EPSS
Percentile
97.3%