CVE-2022-37436
Published: 17 January 2023
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
apache2 Launchpad, Ubuntu, Debian |
trusty |
Needed
|
| xenial |
Released
(2.4.18-2ubuntu3.17+esm9)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| kinetic |
Released
(2.4.54-2ubuntu1.1)
|
|
| upstream |
Released
(2.4.55-1)
|
|
| bionic |
Released
(2.4.29-1ubuntu4.26)
|
|
| focal |
Released
(2.4.41-4ubuntu3.13)
|
|
| jammy |
Released
(2.4.52-1ubuntu4.3)
|
|
| lunar |
Released
(2.4.55-1ubuntu1)
|
|
| mantic |
Released
(2.4.55-1ubuntu1)
|
|
|
Patches: upstream: https://github.com/apache/httpd/commit/8b6d55f6a047acf62675e32606b037f5eea8ccc7 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37436
- https://www.openwall.com/lists/oss-security/2023/01/17/7
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-37436
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://ubuntu.com/security/notices/USN-5839-1
- https://ubuntu.com/security/notices/USN-5839-2
- NVD
- Launchpad
- Debian