CVE-2022-22720

critical

Description

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

References

https://httpd.apache.org/security/vulnerabilities_24.html

http://www.openwall.com/lists/oss-security/2022/03/14/3

https://security.netapp.com/advisory/ntap-20220321-0001/

https://lists.fedoraproject.org/archives/list/[email protected]/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/

https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/

https://lists.fedoraproject.org/archives/list/[email protected]/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/

https://www.oracle.com/security-alerts/cpuapr2022.html

https://support.apple.com/kb/HT213256

https://support.apple.com/kb/HT213257

https://support.apple.com/kb/HT213255

http://seclists.org/fulldisclosure/2022/May/38

http://seclists.org/fulldisclosure/2022/May/33

http://seclists.org/fulldisclosure/2022/May/35

https://www.oracle.com/security-alerts/cpujul2022.html

https://security.gentoo.org/glsa/202208-20

Details

Source: MITRE

Published: 2022-03-14

Updated: 2022-11-02

Type: CWE-444

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL