12 matches found
CVE-2022-31813
CVE-2022-31813 affects Apache HTTP Server 2.4.53 and older; due to hop-by-hop handling, X-Forwarded-* headers may be dropped to the origin server, which can enable bypass of IP-based authentication. All connected advisories indicate the fix is in Apache HTTP Server 2.4.54 and related updates in d...
CVE-2022-23943
CVE-2022-23943 is an out-of-bounds write vulnerability in httpd’s mod_sed that could allow memory corruption by attacker-supplied data. Affected: Apache HTTP Server 2.4.52 and earlier. Mitigation: upgrade to a fixed release (e.g., httpd 2.4.53 or later) as indicated by multiple advisories (includ...
CVE-2022-22720
CVE-2022-22720 – Apache httpd HTTP Request Smuggling (details from connected docs) Affected software: Apache HTTP Server (httpd) versions 2.4.52 and earlier. Root cause / description: Inbound connections are not closed when errors occur while discarding the request body, which can expose the serv...
CVE-2022-28615
CVE-2022-28615 affects Apache HTTP Server 2.4.53 and earlier, where a read beyond bounds can occur in ap_strcmp_match() when given a very large input buffer. The issue may affect third‑party modules or lua scripts that call this function. Advisories in connected documents reference an official fi...
CVE-2022-22721
CVE-2022-22721 concerns the Apache HTTP Server. On 32-bit systems, if LimitXMLRequestBody is set to allow request bodies larger than 350 MB (default 1 MB), an integer overflow can occur, leading to out-of-bounds writes. Affected product: Apache HTTP Server 2.4.52 and earlier. Impact per sources: ...
CVE-2022-30556
The CVE-2022-30556 issue affects Apache HTTP Server (2.4.53 and earlier) where the wsread path may return a pointer past the end of the buffer, enabling information disclosure via websockets. Public references in connected sources corroborate: (1) industry advisories note an information disclosur...
CVE-2022-22719
Summary (CVE-2022-22719) Affects Apache HTTP Server (httpd) 2.4.52 and earlier. The issue arises in the httpd mod_lua component where an uninitialized value in r:parsebody can cause a read to a random memory area, potentially leading to a crash and availability impact. Connected advisories confir...
CVE-2022-26377
CVE-2022-26377 is a real HTTP Request Smuggling vulnerability in the mod_proxy_ajp module of Apache HTTP Server. Affected: Apache httpd 2.4.53 and earlier. Description across sources confirms that an attacker can smuggle requests to the AJP server to which httpd forwards traffic. Patches/updates ...
CVE-2022-28614
CVE-2022-28614 affects Apache HTTP Server 2.4.53 and earlier. The vulnerability stems from ap_rwrite() potentially reading unintended memory when reflecting very large input via ap_rwrite() or ap_rputs(), notably with mod_luas r:puts(). Modules compiled against older headers that use ap_rputs may...
CVE-2022-29404
CVE-2022-29404 affects Apache HTTP Server 2.4.53 and earlier. The vulnerability lies in the mod_lua code path: a malicious request to a Lua script calling r:parsebody(0) can cause a denial of service due to no default input size limit. Impact is DoS (availability) with network exposure; no data c...
CVE-2022-30522
CVE-2022-30522 affects Apache HTTP Server mod_sed; when input to mod_sed is very large, it can cause excessive memory allocations and aborts, impacting availability. The issue is documented across multiple feeds (e.g., CVE page for 2.4.53 context and later advisories) and is addressed by updating...
CVE-2022-28330
CVE-2022-28330 affects Apache HTTP Server 2.4.53 and earlier on Windows, describing an out-of-bounds read when processing requests with the mod_isapi module. Public references in ALAS advisories indicate the fix is included in httpd 2.4.54 (and related ALT Linux advisories). Mitigation requires u...