Severity
High
Analysis Summary
CVE-2022-22720
Apache HTTP Server is vulnerable to HTTP request smuggling, caused by the failure to close the inbound connection when errors are encountered discarding the request body. By sending a specially-crafted HTTP(S) transfer-encoding request header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVE-2022-22719
Apache HTTP Server is vulnerable to a denial of service. By using a specially crafted request body to read a random memory area, a remote attacker could exploit this vulnerability to cause the process to crash.
CVE-2022-22721
Apache HTTP Server is vulnerable to a buffer overflow, caused by an integer overflow. By sending an overly large LimitXMLRequestBody, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVE-2022-23943
Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write in mod_sed. By sending specially crafted data, an attacker could exploit this vulnerability to overwrite heap memory and execute arbitrary code on the system.
Impact
- Unauthorized Access
- Denial of Service
- Buffer Overflow
- Code Execution
Indicators Of Compromise
CVE
- CVE-2022-22720
- CVE-2022-22719
- CVE-2022-22721
- CVE-2022-23943
Affected Vendors
Apache
Affected Products
- Apache HTTP Server 2.4.7
- Apache HTTP Server 2.4.8
- Apache HTTP Server 2.4.9
- Apache HTTP Server 2.4.10
Remediation
Upgrade to the latest version of Apache HTTP Server, available from the Apache Website