CVE-2022-28330 - Vulnerability Details - OpenCVE

Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00324.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Http Server
Microsoft	Windows
Redhat	Jboss Core Services

Configuration 1 [-]

AND

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Text-Only JBCS
jbcs-httpd24-httpd	cpe:/a:redhat:jboss_core_services:1	RHSA-2022:8841	2022-12-08T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-32782	Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/06/08/3
https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-28330
https://nvd.nist.gov/vuln/detail/CVE-2022-28330
https://security.netapp.com/advisory/ntap-20220624-0005/
https://www.cve.org/CVERecord?id=CVE-2022-28330

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-06-08T10:00:34

Updated: 2024-08-03T05:48:37.891Z

Reserved: 2022-04-01T00:00:00

Link: CVE-2022-28330

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-06-09T17:15:09.133

Modified: 2024-11-21T06:57:10.600

Link: CVE-2022-28330

Redhat

Severity : Low

Publid Date: 2022-06-08T00:00:00Z

Links: CVE-2022-28330 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"platforms": ["Windows"], "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.53", "status": "affected", "version": "Apache HTTP Server", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue"}], "descriptions": [{"lang": "en", "value": "Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module."}], "metrics": [{"other": {"content": {"other": "low"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-24T15:06:22", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"name": "[oss-security] 20220608 CVE-2022-28330: Apache HTTP Server: read beyond bounds in mod_isapi", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/06/08/3"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220624-0005/"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2022-06-08T00:00:00", "value": "released in 2.4.54"}], "title": "read beyond bounds in mod_isapi", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-28330", "STATE": "PUBLIC", "TITLE": "read beyond bounds in mod_isapi"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache HTTP Server", "version": {"version_data": [{"platform": "Windows", "version_affected": "<=", "version_name": "Apache HTTP Server", "version_value": "2.4.53"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "low"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-125 Out-of-bounds Read"}]}]}, "references": {"reference_data": [{"name": "https://httpd.apache.org/security/vulnerabilities_24.html", "refsource": "MISC", "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"name": "[oss-security] 20220608 CVE-2022-28330: Apache HTTP Server: read beyond bounds in mod_isapi", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/06/08/3"}, {"name": "https://security.netapp.com/advisory/ntap-20220624-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220624-0005/"}]}, "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2022-06-08T00:00:00", "value": "released in 2.4.54"}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:48:37.891Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"name": "[oss-security] 20220608 CVE-2022-28330: Apache HTTP Server: read beyond bounds in mod_isapi", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/06/08/3"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220624-0005/"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-28330", "datePublished": "2022-06-08T10:00:34", "dateReserved": "2022-04-01T00:00:00", "dateUpdated": "2024-08-03T05:48:37.891Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "B39537A1-5A13-491A-B333-BB53FF718EA7", "versionEndIncluding": "2.4.53", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module."}, {"lang": "es", "value": "Apache HTTP Server versiones 2.4.53 y anteriores en Windows, puede leer m\u00e1s all\u00e1 de los l\u00edmites cuando es configurado para procesar peticiones con el m\u00f3dulo mod_isapi"}], "id": "CVE-2022-28330", "lastModified": "2024-11-21T06:57:10.600", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-09T17:15:09.133", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/06/08/3"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "security@apache.org", "url": "https://security.netapp.com/advisory/ntap-20220624-0005/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/06/08/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20220624-0005/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:8841", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "jbcs-httpd24-httpd", "product_name": "Text-Only JBCS", "release_date": "2022-12-08T00:00:00Z"}], "bugzilla": {"description": "httpd: mod_isapi: out-of-bounds read", "id": "2095000", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2095000"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-125", "details": ["Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module.", "An out-of-bounds read vulnerability was found in the mod_isapi module of httpd. The issue occurs when httpd is configured to process requests with the mod_isapi module."], "name": "CVE-2022-28330", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "httpd:2.4/httpd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "httpd22", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Not affected", "package_name": "httpd24", "product_name": "Red Hat JBoss Web Server 3"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "httpd24-httpd", "product_name": "Red Hat Software Collections"}], "public_date": "2022-06-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-28330\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-28330\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-28330"], "statement": "Httpd, as shipped with Red Hat Enterprise Linux 6, 7, 8, 9, and RHSCL, is not affected by this flaw because it does not ship the mod_isapi module. The mod_isapi module is shipped by Windows systems only.", "threat_severity": "Low"}