Vulnerability Details : CVE-2022-37436
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
Products affected by CVE-2022-37436
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
Threat overview for CVE-2022-37436
Top countries where our scanners detected CVE-2022-37436
Top open port discovered on systems with this issue
80
IPs affected by CVE-2022-37436 7,934,411
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2022-37436!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2022-37436
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 34 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-37436
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST | |
5.3
|
MEDIUM | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
N/A
|
N/A
|
Oracle:CPUOct2023 |
CWE ids for CVE-2022-37436
-
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.Assigned by: security@apache.org (Primary)
-
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.Assigned by: nvd@nist.gov (Secondary)
References for CVE-2022-37436
-
https://httpd.apache.org/security/vulnerabilities_24.html
httpd 2.4 vulnerabilities - The Apache HTTP Server ProjectRelease Notes;Vendor Advisory
-
https://security.gentoo.org/glsa/202309-01
Apache HTTPD: Multiple Vulnerabilities (GLSA 202309-01) — Gentoo security
Jump to