CVE-2022-26377 HIGH

Published: 2022-06-09 | Last Modified: 2025-05-01 | Status: Analyzed

Description

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.

Additional Descriptions (1)

Una vulnerabilidad de Interpretación Incoherente de las Peticiones HTTP ("Contrabando de Peticiones HTTP") en la función mod_proxy_ajp de Apache HTTP Server permite a un atacante contrabandear peticiones al servidor AJP al que reenvía las peticiones. Este problema afecta a Apache HTTP Server, versión 2.4.53 y anteriores

CVSS Metrics

Base Score: 7.5 (HIGH)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	NONE
Integrity Impact	HIGH
Availability Impact	NONE

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 3.6

Base Score: 5.0 (MEDIUM)

AV:N/AC:L/Au:N/C:N/I:P/A:N

Access Vector	NETWORK
Access Complexity	LOW
Authentication	NONE
Confidentiality Impact	NONE
Integrity Impact	PARTIAL
Availability Impact	NONE

Source: [email protected]

Type: Primary

Exploitability Score: 10.0

Impact Score: 2.9

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-444
[email protected]	Primary	en CWE-444

Affected Products

Vendor	Product	Version	Update	Type
apache	http_server	*	<built-in method update of dict object at 0x72a9cc757b40>	Application
fedoraproject	fedora	35	<built-in method update of dict object at 0x72a9e41870c0>	Operating System
fedoraproject	fedora	36	<built-in method update of dict object at 0x72a9cc38e500>	Operating System
netapp	clustered_data_ontap	-	<built-in method update of dict object at 0x72a9cc38ce80>	Application

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:apache:http_server::::::::`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:fedoraproject:fedora:35:::::::*`
Yes	`cpe:2.3:o:fedoraproject:fedora:36:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:netapp:clustered_data_ontap:-:::::::*`

References

http://www.openwall.com/lists/oss-security/2022/06/08/2
Source: [email protected]

Mailing List Third Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.html
Source: [email protected]

Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
Source: [email protected]

Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
Source: [email protected]

Third Party Advisory
https://security.gentoo.org/glsa/202208-20
Source: [email protected]

Third Party Advisory
https://security.netapp.com/advisory/ntap-20220624-0005/
Source: [email protected]

Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/06/08/2
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.html
Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://security.gentoo.org/glsa/202208-20
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://security.netapp.com/advisory/ntap-20220624-0005/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory