Alpine: multiple apache2 packages: security update to 2.4.54-r0

critical Tenable Cloud Security Plugin ID 423659

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on
client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on
the origin server/application. (CVE-2022-31813)

- Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of
Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This
issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
(CVE-2022-26377)

- Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process
requests with the mod_isapi module. (CVE-2022-28330)

- The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an
attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with
mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use
the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against
current headers to resolve the issue. (CVE-2022-28614)

- Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in
ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the
server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may
hypothetically be affected. (CVE-2022-28615)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-26377

https://security.alpinelinux.org/vuln/CVE-2022-28330

https://security.alpinelinux.org/vuln/CVE-2022-28614

https://security.alpinelinux.org/vuln/CVE-2022-28615

https://security.alpinelinux.org/vuln/CVE-2022-29404

https://security.alpinelinux.org/vuln/CVE-2022-30522

https://security.alpinelinux.org/vuln/CVE-2022-30556

https://security.alpinelinux.org/vuln/CVE-2022-31813

Plugin Details

Severity: Critical

ID: 423659

Version: Revision 1.9

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

Percentile: 96.95

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-31813

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 6/8/2022

Reference Information

CVE: CVE-2022-26377, CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30522, CVE-2022-30556, CVE-2022-31813

IAVA: 2022-A-0230-S