CVE-2022-36760 CRITICAL

Published: 2023-01-17 | Last Modified: 2025-04-04 | Status: Modified

Description

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.

Additional Descriptions (1)

Una vulnerabilidad de interpretación inconsistente de solicitudes HTTP ("contrabando de solicitudes HTTP") en mod_proxy_ajp del servidor HTTP Apache permite a un atacante contrabandear solicitudes al servidor AJP al que las reenvía. Este problema afecta al servidor Apache HTTP Server 2.4 versión 2.4.54 y versiones anteriores.

CVSS Metrics

Base Score: 9.0 (CRITICAL)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector	NETWORK
Attack Complexity	HIGH
Privileges Required	NONE
User Interaction	NONE
Scope	CHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 2.2

Impact Score: 6.0

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-444
134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	en CWE-444

Affected Products

Vendor	Product	Version	Update	Type
apache	http_server	*	<built-in method update of dict object at 0x72a9b092bd00>	Application

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:apache:http_server::::::::`

References

https://httpd.apache.org/security/vulnerabilities_24.html
Source: [email protected]

Mailing List Vendor Advisory
https://security.gentoo.org/glsa/202309-01
Source: [email protected]
https://httpd.apache.org/security/vulnerabilities_24.html
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Vendor Advisory
https://security.gentoo.org/glsa/202309-01
Source: af854a3a-2127-422b-91ae-364da2661108