PT-2022-3356 · Apache+10 · Apache Http Server+10
Ricter Z
·
Published
2022-03-02
·
Updated
2025-09-29
·
CVE-2022-26377
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Apache HTTP Server versions 2.4.53 and prior versions
Description
The issue is related to the inconsistent interpretation of HTTP requests, also known as 'HTTP Request Smuggling', in the mod proxy ajp module of the Apache HTTP Server. This allows an attacker to smuggle requests to the AJP server it forwards requests to. The exploitation of this issue can enable a remote attacker to send a specially crafted HTTP request to the server and redirect requests to the AJP server. There is no information about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited.
Recommendations
For Apache HTTP Server versions 2.4.53 and prior versions, update to a version that contains a fix for this issue.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Out of bounds Read
Integer Overflow
Allocation of Resources Without Limits
HTTP Request/Response Smuggling
Insufficient Verification of Data Authenticity
Information Disclosure
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Apache Http Server
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu