CVE-2022-28615

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.53 and earlier

Description The issue is related to a read beyond bounds in the ap strcmp match() function when provided with an extremely large input buffer. This can cause the server to crash or disclose information. Although no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap strcmp match() may be affected. An attacker can exploit this issue by sending a specially crafted HTTP request, potentially leading to a denial of service or unauthorized access to protected information.

Recommendations For Apache HTTP Server versions 2.4.53 and earlier, consider disabling the use of the ap strcmp match() function in third-party modules or lua scripts until a patch is available. Restrict access to modules that utilize this function to minimize the risk of exploitation. Avoid using third-party modules or lua scripts that rely on ap strcmp match() until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.