#VU64078 Inconsistent interpretation of HTTP requests in Apache HTTP Server


Published: 2022-06-08 | Updated: 2023-04-21

Vulnerability identifier: #VU64078

Vulnerability risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-26377

CWE-ID: CWE-444

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache HTTP Server
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests in mod_proxy_ajp. A remote attacker can send a specially crafted HTTP request to the server and smuggle requests to the AJP server it forwards requests to.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache HTTP Server: 2.0 - 2.4.53

External links
http://httpd.apache.org/security/vulnerabilities_24.html#2.4.54

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Inconsistent interpretation of HTTP requests in IBM QRadar SIEM
Inconsistent interpretation of HTTP requests in IBM Rational Build Forge
Multiple vulnerabilities in Dell EMC PowerScale OneFS
Mitsubishi Electric MELSOFT iQ AppPortal update for Apache HTTP server
Multiple vulnerabilities in IBM Aspera Faspex
Inconsistent interpretation of HTTP requests in IBM Aspera Orchestrator
Red Hat JBoss Core Services update for Apache HTTP Server
Multiple vulnerabilities in HPE HP-UX Apache Web Server
Multiple vulnerabilities in Zimbra Collaboration
Red Hat Enterprise Linux 9 update for httpd