Vulnerability Details : CVE-2022-28614
The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue.
Vulnerability category: OverflowInformation leak
Products affected by CVE-2022-28614
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
Threat overview for CVE-2022-28614
Top countries where our scanners detected CVE-2022-28614
Top open port discovered on systems with this issue
80
IPs affected by CVE-2022-28614 10,278,194
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2022-28614!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2022-28614
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-28614
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2022-28614
-
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.Assigned by:
- nvd@nist.gov (Primary)
- security@apache.org (Secondary)
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security@apache.org (Secondary)
References for CVE-2022-28614
-
https://httpd.apache.org/security/vulnerabilities_24.html
httpd 2.4 vulnerabilities - The Apache HTTP Server ProjectVendor Advisory
-
http://www.openwall.com/lists/oss-security/2022/06/08/4
oss-security - CVE-2022-28614: Apache HTTP Server: read beyond bounds via ap_rwrite()Mailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/
[SECURITY] Fedora 36 Update: httpd-2.4.54-3.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202208-20
Apache HTTPD: Multiple Vulnerabilities (GLSA 202208-20) — Gentoo securityThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20220624-0005/
June 2022 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/
[SECURITY] Fedora 35 Update: httpd-2.4.54-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to