CVE-2022-36760 - Vulnerability Details - OpenCVE

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Http Server
Redhat	Enterprise Linux Jboss Core Services

Configuration 1 [-]

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
JBoss Core Services for RHEL 8
jbcs-httpd24-httpd-0:2.4.57-5.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2023:4629	2023-08-15T00:00:00Z
JBoss Core Services on RHEL 7
jbcs-httpd24-httpd-0:2.4.57-5.el7jbcs	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2023:4629	2023-08-15T00:00:00Z
Red Hat Enterprise Linux 8
httpd:2.4-8070020230131172653.bd1311ed	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:0852	2023-02-21T00:00:00Z
Red Hat Enterprise Linux 9
httpd-0:2.4.53-7.el9_1.1	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:0970	2023-02-28T00:00:00Z
Text-Only JBCS
httpd	cpe:/a:redhat:jboss_core_services:1	RHSA-2023:4628	2023-08-15T00:00:00Z

References

Link	Providers
https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-36760
https://nvd.nist.gov/vuln/detail/CVE-2022-36760
https://security.gentoo.org/glsa/202309-01
https://www.cve.org/CVERecord?id=CVE-2022-36760

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-01-17T19:11:55.106Z

Updated: 2025-02-13T16:32:50.112Z

Reserved: 2022-07-25T12:18:16.655Z

Link: CVE-2022-36760

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-17T20:15:11.580

Modified: 2024-11-21T07:13:39.360

Link: CVE-2022-36760

Redhat

Severity : Moderate

Publid Date: 2023-01-17T00:00:00Z

Links: CVE-2022-36760 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-36760", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2022-07-25T12:18:16.655Z", "datePublished": "2023-01-17T19:11:55.106Z", "dateUpdated": "2025-02-13T16:32:50.112Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.54", "status": "affected", "version": "2.4", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions."}], "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-09-08T21:06:22.161Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"url": "https://security.gentoo.org/glsa/202309-01"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2022-07-12T11:00:00.000Z", "value": "Reported to security team"}], "title": "Apache HTTP Server: mod_proxy_ajp Possible request smuggling", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:14:28.094Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"url": "https://security.gentoo.org/glsa/202309-01", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0A3B324-BA2F-404C-9E0D-6E810296BEA2", "versionEndExcluding": "2.4.55", "versionStartIncluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad de interpretaci\u00f3n inconsistente de solicitudes HTTP (\"contrabando de solicitudes HTTP\") en mod_proxy_ajp del servidor HTTP Apache permite a un atacante contrabandear solicitudes al servidor AJP al que las reenv\u00eda. Este problema afecta al servidor Apache HTTP Server 2.4 versi\u00f3n 2.4.54 y versiones anteriores."}], "id": "CVE-2022-36760", "lastModified": "2024-11-21T07:13:39.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-17T20:15:11.580", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202309-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202309-01"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:4629", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-httpd-0:2.4.57-5.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2023-08-15T00:00:00Z"}, {"advisory": "RHSA-2023:4629", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-httpd-0:2.4.57-5.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2023-08-15T00:00:00Z"}, {"advisory": "RHSA-2023:0852", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "httpd:2.4-8070020230131172653.bd1311ed", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-02-21T00:00:00Z"}, {"advisory": "RHSA-2023:0970", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "httpd-0:2.4.53-7.el9_1.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-02-28T00:00:00Z"}, {"advisory": "RHSA-2023:4628", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "httpd", "product_name": "Text-Only JBCS", "release_date": "2023-08-15T00:00:00Z"}], "bugzilla": {"description": "httpd: mod_proxy_ajp: Possible request smuggling", "id": "2161777", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161777"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-444", "details": ["Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.", "A flaw was found in the mod_proxy_ajp module of httpd. The connection is not closed when there is an invalid Transfer-Encoding header, allowing an attacker to smuggle requests to the AJP server, where it forwards requests."], "name": "CVE-2022-36760", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "httpd22", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "httpd24-httpd", "product_name": "Red Hat Software Collections"}], "public_date": "2023-01-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-36760\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-36760\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-36760"], "statement": "This flaw only affects configurations with mod_proxy_ajp loaded and with an AJP backend configured. If there is no proxy configured to an AJP backend the server is not affected and no further mitigation is needed. For more information about the mitigation, check the mitigation section below.\nThe httpd mod_proxy_ajp module is enabled by default on Red Hat Enterprise Linux 6, 7, 8, 9, and in RHSCL. However, there are no directives forwarding requests using the AJP protocol.\nThis flaw has been rated as having a security impact of moderate, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata.", "threat_severity": "Moderate", "upstream_fix": "httpd 2.4.55"}