CVE-2022-22720

CRITICAL LAB

Apache HTTP Server < 2.4.52 - HTTP Request Smuggling

Title source: rule

Description

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

Exploits (1)

nomisec STUB

by Benasin · poc

https://github.com/Benasin/CVE-2022-22720

View Code ZIP pw:eip

References (16)

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2022/May/33

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2022/May/35

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2022/May/38

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2022/03/14/3

[Vendor Advisory] https://httpd.apache.org/security/vulnerabilities_24.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html

[Third Party Advisory] https://security.gentoo.org/glsa/202208-20

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220321-0001/

[Third Party Advisory] https://support.apple.com/kb/HT213255

[Third Party Advisory] https://support.apple.com/kb/HT213256

[Third Party Advisory] https://support.apple.com/kb/HT213257

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/

Scores

CVSS v3 9.8

EPSS 0.2746

EPSS Percentile 96.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull httpd:2.4.52

https://github.com/Benasin/CVE-2022-22720

View in Library

Details

CWE

CWE-444

Status published

Products (11)

apache/http_server < 2.4.52

apple/macos < 10.15.7

apple/mac_os_x 10.15.7 security_update_2020-001 (12 CPE variants)

debian/debian_linux 9.0

fedoraproject/fedora 34

fedoraproject/fedora 35

fedoraproject/fedora 36

oracle/enterprise_manager_ops_center 12.4.0.0

oracle/http_server 12.2.1.3.0

oracle/http_server 12.2.1.4.0

... and 1 more

Published Mar 14, 2022

Tracked Since Feb 18, 2026