CVE-2022-28615 CRITICAL

Published: 2022-06-09 | Last Modified: 2025-12-18 | Status: Modified

Description

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.

Additional Descriptions (1)

Apache HTTP Server versiones 2.4.53 y anteriores, puede fallar o revelar información debido a una lectura más allá de los límites en la función ap_strcmp_match() cuando le es proporcionado un búfer de entrada extremadamente grande. Mientras que ningún código distribuido con el servidor puede ser coaccionado en tal llamada, los módulos de terceros o los scripts lua que usan ap_strcmp_match() pueden hipotéticamente ser afectados

CVSS Metrics

Base Score: 9.1 (CRITICAL)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	NONE
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 5.2

Base Score: 6.4 (MEDIUM)

AV:N/AC:L/Au:N/C:P/I:N/A:P

Access Vector	NETWORK
Access Complexity	LOW
Authentication	NONE
Confidentiality Impact	PARTIAL
Integrity Impact	NONE
Availability Impact	PARTIAL

Source: [email protected]

Type: Primary

Exploitability Score: 10.0

Impact Score: 4.9

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-190
[email protected]	Primary	en CWE-190

Affected Products

Vendor	Product	Version	Update	Type
apache	http_server	*	<built-in method update of dict object at 0x72a9b0aa7840>	Application
fedoraproject	fedora	35	<built-in method update of dict object at 0x72a9cd0da240>	Operating System
fedoraproject	fedora	36	<built-in method update of dict object at 0x72a9ccd2b280>	Operating System
netapp	clustered_data_ontap	-	<built-in method update of dict object at 0x72a9cc875a80>	Application

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:apache:http_server::::::::`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:fedoraproject:fedora:35:::::::*`
Yes	`cpe:2.3:o:fedoraproject:fedora:36:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:netapp:clustered_data_ontap:-:::::::*`

References

http://www.openwall.com/lists/oss-security/2022/06/08/9
Source: [email protected]

Mailing List Third Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.html
Source: [email protected]

Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
Source: [email protected]

Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
Source: [email protected]

Third Party Advisory
https://security.gentoo.org/glsa/202208-20
Source: [email protected]

Third Party Advisory
https://security.netapp.com/advisory/ntap-20220624-0005/
Source: [email protected]

Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/06/08/9
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.html
Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://security.gentoo.org/glsa/202208-20
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://security.netapp.com/advisory/ntap-20220624-0005/
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory