CVE-2022-28614

EPSS 0.29%
Published 09.06.2022 17:15:09
Last modified 21.11.2024 06:57:35
Source security@apache.org
Teams watchlist Login
Open Login

The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue.

Affected products Warnungen 0 Metrics 3 CWE 2 References 9

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ HTTP Server Version <= 2.4.53

Fedoraproject ≫ Fedora Version35

Fedoraproject ≫ Fedora Version36

Netapp ≫ Clustered Data Ontap Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.29%	0.519

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://httpd.apache.org/security/vulnerabilities_24.html

Vendor Advisory

https://security.gentoo.org/glsa/202208-20

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/

https://security.netapp.com/advisory/ntap-20220624-0005/

Third Party Advisory

http://www.openwall.com/lists/oss-security/2022/06/08/4

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2022-28614

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-28614

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-28614

EUVD