OpenCVE

Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Http Server
Redhat	Enterprise Linux Jboss Core Services

Configuration 1 [-]

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
JBoss Core Services for RHEL 8
jbcs-httpd24-httpd-0:2.4.57-5.el8jbcs	cpe:/a:redhat:jboss_core_services:1::el8	RHSA-2023:4629	2023-08-15T00:00:00Z
JBoss Core Services on RHEL 7
jbcs-httpd24-httpd-0:2.4.57-5.el7jbcs	cpe:/a:redhat:jboss_core_services:1::el7	RHSA-2023:4629	2023-08-15T00:00:00Z
Red Hat Enterprise Linux 8
httpd:2.4-8070020230131172653.bd1311ed	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:0852	2023-02-21T00:00:00Z
Red Hat Enterprise Linux 9
httpd-0:2.4.53-7.el9_1.1	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:0970	2023-02-28T00:00:00Z
Red Hat JBoss Core Services 1
httpd	cpe:/a:redhat:jboss_core_services:1	RHSA-2023:4628	2023-08-15T00:00:00Z

References

Link	Providers
https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-37436
https://nvd.nist.gov/vuln/detail/CVE-2022-37436
https://security.gentoo.org/glsa/202309-01
https://www.cve.org/CVERecord?id=CVE-2022-37436

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-01-17T19:12:59.968Z

Updated: 2024-08-03T10:29:20.979Z

Reserved: 2022-08-05T12:37:59.731Z

Link: CVE-2022-37436

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-17T20:15:11.670

Modified: 2024-11-21T07:14:59.487

Link: CVE-2022-37436

Redhat

Severity : Moderate

Publid Date: 2023-01-17T00:00:00Z

Links: CVE-2022-37436 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-37436", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2022-08-05T12:37:59.731Z", "datePublished": "2023-01-17T19:12:59.968Z", "dateUpdated": "2024-08-03T10:29:20.979Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.4.55", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Dimas Fariski Setyawan Putra (@nyxsorcerer)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client."}], "value": "Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-113", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-01-17T19:12:59.968Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"url": "https://security.gentoo.org/glsa/202309-01"}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2022-07-14T06:22:00.000Z", "value": "Reported to security team"}], "title": "Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:29:20.979Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"url": "https://security.gentoo.org/glsa/202309-01", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1AD829E-486E-4D6E-B323-F0FA299E587D", "versionEndExcluding": "2.4.55", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client."}, {"lang": "es", "value": "Antes de Apache HTTP Server 2.4.55, un backend malicioso pod\u00eda provocar que los encabezados de respuesta se truncaran antes de tiempo, lo que provocaba que algunos encabezados se incorporaran al cuerpo de la respuesta. Si los encabezados posteriores tienen alg\u00fan prop\u00f3sito de seguridad, no ser\u00e1n interpretados por el cliente."}], "id": "CVE-2022-37436", "lastModified": "2024-11-21T07:14:59.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-17T20:15:11.670", "references": [{"source": "security@apache.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202309-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202309-01"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-113"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-436"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:4629", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-httpd-0:2.4.57-5.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2023-08-15T00:00:00Z"}, {"advisory": "RHSA-2023:4629", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-httpd-0:2.4.57-5.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2023-08-15T00:00:00Z"}, {"advisory": "RHSA-2023:0852", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "httpd:2.4-8070020230131172653.bd1311ed", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-02-21T00:00:00Z"}, {"advisory": "RHSA-2023:0970", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "httpd-0:2.4.53-7.el9_1.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-02-28T00:00:00Z"}, {"advisory": "RHSA-2023:4628", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "httpd", "product_name": "Red Hat JBoss Core Services 1", "release_date": "2023-08-15T00:00:00Z"}], "bugzilla": {"description": "httpd: mod_proxy: HTTP response splitting", "id": "2161773", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161773"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-113", "details": ["Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.", "A flaw was found in the mod_proxy module of httpd. A malicious backend can cause the response headers to be truncated because they are not cleaned when an error is found while reading them, resulting in some headers being incorporated into the response body and not being interpreted by a client."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. It's recommended to update the affected packages as soon as an update is available."}, "name": "CVE-2022-37436", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "httpd22", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "httpd24-httpd", "product_name": "Red Hat Software Collections"}], "public_date": "2023-01-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-37436\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-37436\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-37436"], "statement": "This flaw is only exploitable via bad headers generated by a malicious backend or a malicious application.\nhttpd as shipped in Red Hat Enterprise Linux 7, 8, 9 and in RHSCL is vulnerable to this flaw. httpd as shipped in Red Hat Enterprise Linux 6 is not affected.\nThis flaw has been rated as having a security impact of moderate, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata.", "threat_severity": "Moderate", "upstream_fix": "httpd 2.4.55"}