CVE-2022-37436

MEDIUM severity · CVSS 5.3 · CWE-113

5.3CVSS MEDIUM

Summary

Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactNone

Integrity impactLow

Availability impactNone

Exploit probability (EPSS)1%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected products we track (1)

Apache HTTP Server

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://httpd.apache.org/security/vulnerabilities_24.htmlAdvisory
https://httpd.apache.org/security/vulnerabilities_24.htmlAdvisory
https://security.gentoo.org/glsa/202309-01
https://security.gentoo.org/glsa/202309-01