CVE-2022-29404

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.53 and earlier

Description The issue is related to the mod lua module in Apache HTTP Server, where a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. This can be exploited by a remote attacker by sending a specially crafted HTTP request, potentially leading to a denial of service. The vulnerability is associated with insufficient input validation when handling HTTP requests to a lua script that invokes r:parsebody(0).

Recommendations For Apache HTTP Server versions 2.4.53 and earlier, as a temporary workaround, consider disabling the r:parsebody(0) function in lua scripts until a patch is available. Restrict access to lua scripts that invoke r:parsebody(0) to minimize the risk of exploitation. Avoid using the r:parsebody(0) function in HTTP requests to affected lua scripts until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.