Your submission was sent successfully! Close

CVE-2022-28614

Published: 9 June 2022

The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue.

Priority

Low

CVSS 3 base score: 5.3

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
bionic
Released (2.4.29-1ubuntu4.24)
focal
Released (2.4.41-4ubuntu3.12)
impish
Released (2.4.48-3.1ubuntu3.5)
jammy
Released (2.4.52-1ubuntu4.1)
kinetic
Released (2.4.54-2ubuntu1)
trusty
Released (2.4.7-1ubuntu4.22+esm6)
upstream
Released (2.4.54-1)
xenial
Released (2.4.18-2ubuntu3.17+esm6)
Patches:
upstream: https://github.com/apache/httpd/commit/8c14927162cf3b4f810683e1c5505e9ef9e1f123