Severity
High
Analysis Summary
CVE-2022-25147 CVSS:9.8
Apache Portable Runtime (APR) could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the apr_base64 functions. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVE-2022-28331 CVSS:9.8
Apache Portable Runtime (APR) could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the apr_socket_sendv() function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVE-2022-24963 CVSS:9.8
Apache Portable Runtime (APR) could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the apr_encode functions. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
Impact
- Unauthorized Access
Indicators Of Compromise
CVE
- CVE-2022-25147
- CVE-2022-28331
- CVE-2022-24963
Affected Vendors
Apache
Affected Products
Apache Portable Runtime 1.7.0
Apache Portable Runtime 1.6.1
Remediation
Upgrade to the latest version of Apache Portable Runtime, available from the Apache Web site.