CVE-2022-28614

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.53 and earlier

Description The issue is related to the ap rwrite() function in Apache HTTP Server, which may read unintended memory if an attacker can cause the server to reflect very large input using ap rwrite() or ap rputs(), such as with mod luas r:puts() function. This can lead to an error reading beyond allocated boundaries and accessing memory outside the intended limits. The vulnerability is associated with integer overflow and boundary conditions in the ap rwrite() function. Exploitation of the vulnerability may allow a remote attacker to cause a denial of service.

Recommendations For Apache HTTP Server versions 2.4.53 and earlier, modules compiled and distributed separately from Apache HTTP Server that use the ap rputs function and may pass it a very large (INT MAX or larger) string must be compiled against current headers to resolve the issue. As a temporary workaround, consider restricting the use of the ap rwrite() function and ap rputs() function, such as mod luas r:puts(), until the issue is resolved.