Vulnerability Details : CVE-2022-30522

If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.

Published 2022-06-09 17:15:10

Updated 2022-09-07 17:35:03

Source Apache Software Foundation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-30522

Probability of exploitation activity in the next 30 days: 50.15%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 97 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-30522

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	[email protected]
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-30522

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Assigned by: [email protected] (Primary)
CWE-789 Memory Allocation with Excessive Size Value

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Assigned by: [email protected] (Secondary)

References for CVE-2022-30522

https://httpd.apache.org/security/vulnerabilities_24.html

Vendor Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/[email protected]/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/

Mailing List;Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202208-20

Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2022/06/08/6

Mailing List;Third Party Advisory
https://security.netapp.com/advisory/ntap-20220624-0005/

Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/[email protected]/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/

Mailing List;Third Party Advisory

CVEs referencing this url

Products affected by CVE-2022-30522

Apache » Http Server » Version: 2.4.53
cpe:2.3:a:apache:http_server:2.4.53:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 36
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
Matching versions
Netapp » Clustered Data Ontap » Version: N/A
cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
Matching versions