CVE-2022-26377

HIGH

Apache HTTP Server <2.4.53 - SSRF

Title source: llm

Description

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.

Exploits (1)

nomisec WORKING POC 5 stars

by watchtowrlabs · poc

https://github.com/watchtowrlabs/ibm-qradar-ajp_smuggling_CVE-2022-26377_poc

View Code ZIP pw:eip

References (6)

[Vendor Advisory] https://httpd.apache.org/security/vulnerabilities_24.html

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2022/06/08/2

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/

[Third Party Advisory] https://security.gentoo.org/glsa/202208-20

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220624-0005/

Scores

CVSS v3 7.5

EPSS 0.3930

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-444

Status published

Products (4)

apache/http_server 2.4.0 - 2.4.54

fedoraproject/fedora 35

fedoraproject/fedora 36

netapp/clustered_data_ontap

Published Jun 09, 2022

Tracked Since Feb 18, 2026