CVE-2022-22721
CRITICALApache HTTP Server < 2.4.52 - Integer Overflow via Large Request Body Handling
Title source: llmDescription
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
References (16)
Core 16
Core References
Vendor Advisory x_refsource_misc
https://httpd.apache.org/security/vulnerabilities_24.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/03/14/2
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220321-0001/
Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2022/May/33
Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2022/May/35
Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2022/May/38
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html
Third Party Advisory x_refsource_confirm
https://support.apple.com/kb/HT213257
Third Party Advisory x_refsource_confirm
https://support.apple.com/kb/HT213256
Third Party Advisory x_refsource_confirm
https://support.apple.com/kb/HT213255
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-20
Scores
CVSS v3
9.1
EPSS
0.1347
EPSS Percentile
94.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-190
Status
published
Products (12)
apache/http_server
< 2.4.52
apple/mac_os_x
10.15.7 security_update_2020-001 (12 CPE variants)
apple/mac_os_x
10.15 - 10.15.7
apple/macos
11.0 - 11.6.6
debian/debian_linux
9.0
fedoraproject/fedora
34
fedoraproject/fedora
35
fedoraproject/fedora
36
oracle/enterprise_manager_ops_center
12.4.0.0
oracle/http_server
12.2.1.3.0
... and 2 more
Published
Mar 14, 2022
Tracked Since
Feb 18, 2026