ID

VAR-202203-0034


CVE

CVE-2022-22719


TITLE

Apache HTTP Server Input validation error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202203-1274

DESCRIPTION

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier. The server is fast, reliable and extensible through a simple API. ========================================================================= Ubuntu Security Notice USN-5333-2 March 17, 2022 apache2 vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in Apache HTTP Server. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Original advisory details: Chamal De Silva discovered that the Apache HTTP Server mod_lua module incorrectly handled certain crafted request bodies. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. (CVE-2022-22719) James Kettle discovered that the Apache HTTP Server incorrectly closed inbound connection when certain errors are encountered. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. (CVE-2022-22720) It was discovered that the Apache HTTP Server incorrectly handled large LimitXMLRequestBody settings on certain platforms. (CVE-2022-22721) Ronald Crane discovered that the Apache HTTP Server mod_sed module incorrectly handled memory. (CVE-2022-23943) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: apache2 2.4.18-2ubuntu3.17+esm5 apache2-bin 2.4.18-2ubuntu3.17+esm5 Ubuntu 14.04 ESM: apache2 2.4.7-1ubuntu4.22+esm4 apache2-bin 2.4.7-1ubuntu4.22+esm4 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6 macOS Big Sur 11.6.6 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213256. apache Available for: macOS Big Sur Impact: Multiple issues in apache Description: Multiple issues were addressed by updating apache to version 2.4.53. CVE-2021-44224 CVE-2021-44790 CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 AppKit Available for: macOS Big Sur Impact: A malicious application may be able to gain root privileges Description: A logic issue was addressed with improved validation. CVE-2022-22665: Lockheed Martin Red Team AppleAVD Available for: macOS Big Sur Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2022-22675: an anonymous researcher AppleGraphicsControl Available for: macOS Big Sur Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved input validation. CVE-2022-26751: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative AppleScript Available for: macOS Big Sur Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory Description: An out-of-bounds read issue was addressed with improved bounds checking. CVE-2022-26698: Qi Sun of Trend Micro AppleScript Available for: macOS Big Sur Impact: Processing a maliciously crafted AppleScript binary may result in unexpected application termination or disclosure of process memory Description: An out-of-bounds read issue was addressed with improved input validation. CVE-2022-26697: Qi Sun and Robert Ai of Trend Micro CoreTypes Available for: macOS Big Sur Impact: A malicious application may bypass Gatekeeper checks Description: This issue was addressed with improved checks to prevent unauthorized actions. CVE-2022-22663: Arsenii Kostromin (0x3c3e) CVMS Available for: macOS Big Sur Impact: A malicious application may be able to gain root privileges Description: A memory initialization issue was addressed. CVE-2022-26721: Yonghwi Jin (@jinmo123) of Theori CVE-2022-26722: Yonghwi Jin (@jinmo123) of Theori DriverKit Available for: macOS Big Sur Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An out-of-bounds access issue was addressed with improved bounds checking. CVE-2022-26763: Linus Henze of Pinauten GmbH (pinauten.de) Graphics Drivers Available for: macOS Big Sur Impact: A local user may be able to read kernel memory Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. CVE-2022-22674: an anonymous researcher Intel Graphics Driver Available for: macOS Big Sur Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2022-26720: Liu Long of Ant Security Light-Year Lab Intel Graphics Driver Available for: macOS Big Sur Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds read issue was addressed with improved input validation. CVE-2022-26770: Liu Long of Ant Security Light-Year Lab Intel Graphics Driver Available for: macOS Big Sur Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-26756: Jack Dates of RET2 Systems, Inc Intel Graphics Driver Available for: macOS Big Sur Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2022-26769: Antonio Zekic (@antoniozekic) Intel Graphics Driver Available for: macOS Big Sur Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: An out-of-bounds write issue was addressed with improved input validation. CVE-2022-26748: Jeonghoon Shin of Theori working with Trend Micro Zero Day Initiative IOMobileFrameBuffer Available for: macOS Big Sur Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2022-26768: an anonymous researcher Kernel Available for: macOS Big Sur Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved validation. CVE-2022-26714: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs (@starlabs_sg) Kernel Available for: macOS Big Sur Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2022-26757: Ned Williamson of Google Project Zero LaunchServices Available for: macOS Big Sur Impact: A malicious application may be able to bypass Privacy preferences Description: The issue was addressed with additional permissions checks. CVE-2022-26767: Wojciech Reguła (@_r3ggi) of SecuRing LaunchServices Available for: macOS Big Sur Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: An access issue was addressed with additional sandbox restrictions on third-party applications. CVE-2022-26706: Arsenii Kostromin (0x3c3e) libresolv Available for: macOS Big Sur Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-26776: Zubair Ashraf of Crowdstrike, Max Shavrick (@_mxms) of the Google Security Team LibreSSL Available for: macOS Big Sur Impact: Processing a maliciously crafted certificate may lead to a denial of service Description: A denial of service issue was addressed with improved input validation. CVE-2022-0778 libxml2 Available for: macOS Big Sur Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2022-23308 OpenSSL Available for: macOS Big Sur Impact: Processing a maliciously crafted certificate may lead to a denial of service Description: This issue was addressed with improved checks. CVE-2022-0778 PackageKit Available for: macOS Big Sur Impact: A malicious application may be able to modify protected parts of the file system Description: This issue was addressed by removing the vulnerable code. CVE-2022-26712: Mickey Jin (@patch1t) Printing Available for: macOS Big Sur Impact: A malicious application may be able to bypass Privacy preferences Description: This issue was addressed by removing the vulnerable code. CVE-2022-26746: @gorelics Security Available for: macOS Big Sur Impact: A malicious app may be able to bypass signature validation Description: A certificate parsing issue was addressed with improved checks. CVE-2022-26766: Linus Henze of Pinauten GmbH (pinauten.de) SMB Available for: macOS Big Sur Impact: An application may be able to gain elevated privileges Description: An out-of-bounds read issue was addressed with improved input validation. CVE-2022-26718: Peter Nguyễn Vũ Hoàng of STAR Labs SMB Available for: macOS Big Sur Impact: Mounting a maliciously crafted Samba network share may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved input validation. CVE-2022-26723: Felix Poulin-Belanger SMB Available for: macOS Big Sur Impact: An application may be able to gain elevated privileges Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2022-26715: Peter Nguyễn Vũ Hoàng of STAR Labs SoftwareUpdate Available for: macOS Big Sur Impact: A malicious application may be able to access restricted files Description: This issue was addressed with improved entitlements. CVE-2022-26728: Mickey Jin (@patch1t) TCC Available for: macOS Big Sur Impact: An app may be able to capture a user's screen Description: This issue was addressed with improved checks. CVE-2022-26726: an anonymous researcher Tcl Available for: macOS Big Sur Impact: A malicious application may be able to break out of its sandbox Description: This issue was addressed with improved environment sanitization. CVE-2022-26755: Arsenii Kostromin (0x3c3e) Vim Available for: macOS Big Sur Impact: Multiple issues in Vim Description: Multiple issues were addressed by updating Vim. CVE-2021-4136 CVE-2021-4166 CVE-2021-4173 CVE-2021-4187 CVE-2021-4192 CVE-2021-4193 CVE-2021-46059 CVE-2022-0128 WebKit Available for: macOS Big Sur Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript Description: A validation issue was addressed with improved input sanitization. CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com) Wi-Fi Available for: macOS Big Sur Impact: A malicious application may disclose restricted memory Description: A memory corruption issue was addressed with improved validation. CVE-2022-26745: an anonymous researcher Wi-Fi Available for: macOS Big Sur Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2022-26761: Wang Yu of Cyberserval zip Available for: macOS Big Sur Impact: Processing a maliciously crafted file may lead to a denial of service Description: A denial of service issue was addressed with improved state handling. CVE-2022-0530 zlib Available for: macOS Big Sur Impact: An attacker may be able to cause unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed with improved input validation. CVE-2018-25032: Tavis Ormandy zsh Available for: macOS Big Sur Impact: A remote attacker may be able to cause arbitrary code execution Description: This issue was addressed by updating to zsh version 5.8.1. CVE-2021-45444 Additional recognition Bluetooth We would like to acknowledge Jann Horn of Project Zero for their assistance. macOS Big Sur 11.6.6 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmKC1TUACgkQeC9qKD1p rhgJBg/9HpPp6P2OtFdYHigfaoga/3szMAjXC650MlC2rF1lXyTRVsO54eupz4er K8Iud3+YnDVTUKkadftWt2XdxAADGtfEFhJW584RtnWjeli+XtGEjQ8jD1/MNPJW qtnrOh2pYG9SxolKDofhiecbYxIGppRKSDRFl0/3VGFed2FIpiRDunlttHBEhHu/ vZVSFzMrNbGvhju+ZCdwFLKXOgB851aRSeo9Xkt63tSGiee7rLmVAINyFbbPwcVP yXwMvn0TNodCBn0wBWD0+iQ3UXIDIYSPaM1Z0BQxVraEhK3Owro3JKgqNbWswMvj SY0KUulbAPs3aOeyz1BI70npYA3+Qwd+bk2hxbzbU/AxvxCrsEk04QfxLYqvj0mR VZYPcup2KAAkiTeekQ5X739r8NAyaaI+bp7FllFv/Z2jVW9kGgNIFr46R05MD9NF aC1JAZtJ4VWbMEGHnHAMrOgdGaHpryvzl2BjUXRgW27vIq5uF5YiNcpjS2BezTFc R2ojiMNRB33Y44LlH7Zv3gHm4bE3+NzcGeWvBzwOsHznk9Jiv6x2eBUxkttMlPyO zymQMONQN3bktSMT8JnmJ8rlEgISONd7NeTEzuhlGIWaWNAFmmBoPnBiPk+yC3n4 d22yFs6DLp2pJ+0zOWmTcqt1xYng05Jwj4F0KT49w0TO9Up79+o= =rtPl -----END PGP SIGNATURE----- . Summary: An update for httpd24-httpd is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Security Fix(es): * httpd: mod_sed: Read/write beyond bounds (CVE-2022-23943) * httpd: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193) * httpd: NULL pointer dereference via malformed requests (CVE-2021-34798) * httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path (CVE-2021-36160) * httpd: Out-of-bounds write in ap_escape_quotes() via malicious input (CVE-2021-39275) * httpd: possible NULL dereference or SSRF in forward proxy configurations (CVE-2021-44224) * httpd: mod_lua: Use of uninitialized value of in r:parsebody (CVE-2022-22719) * httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (CVE-2022-22721) * httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377) * httpd: mod_lua: DoS in r:parsebody (CVE-2022-29404) * httpd: mod_sed: DoS vulnerability (CVE-2022-30522) * httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813) * httpd: out-of-bounds read via ap_rwrite() (CVE-2022-28614) * httpd: out-of-bounds read in ap_strcmp_match() (CVE-2022-28615) * httpd: mod_lua: Information disclosure with websockets (CVE-2022-30556) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * proxy rewrite to unix socket fails with CVE-2021-40438 fix (BZ#2022319) Additional changes: * To fix CVE-2022-29404, the default value for the "LimitRequestBody" directive in the Apache HTTP Server has been changed from 0 (unlimited) to 1 GiB. On systems where the value of "LimitRequestBody" is not explicitly specified in an httpd configuration file, updating the httpd package sets "LimitRequestBody" to the default value of 1 GiB. As a consequence, if the total size of the HTTP request body exceeds this 1 GiB default limit, httpd returns the 413 Request Entity Too Large error code. If the new default allowed size of an HTTP request message body is insufficient for your use case, update your httpd configuration files within the respective context (server, per-directory, per-file, or per-location) and set your preferred limit in bytes. For example, to set a new 2 GiB limit, use: LimitRequestBody 2147483648 Systems already configured to use any explicit value for the "LimitRequestBody" directive are unaffected by this change. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon will be restarted automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1966728 - CVE-2021-33193 httpd: Request splitting via HTTP/2 method injection and mod_proxy 2005119 - CVE-2021-39275 httpd: Out-of-bounds write in ap_escape_quotes() via malicious input 2005124 - CVE-2021-36160 httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path 2005128 - CVE-2021-34798 httpd: NULL pointer dereference via malformed requests 2034672 - CVE-2021-44224 httpd: possible NULL dereference or SSRF in forward proxy configurations 2064319 - CVE-2022-23943 httpd: mod_sed: Read/write beyond bounds 2064320 - CVE-2022-22721 httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody 2064322 - CVE-2022-22719 httpd: mod_lua: Use of uninitialized value of in r:parsebody 2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling 2095002 - CVE-2022-28614 httpd: out-of-bounds read via ap_rwrite() 2095006 - CVE-2022-28615 httpd: out-of-bounds read in ap_strcmp_match() 2095012 - CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody 2095015 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability 2095018 - CVE-2022-30556 httpd: mod_lua: Information disclosure with websockets 2095020 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: httpd24-httpd-2.4.34-23.el7.5.src.rpm noarch: httpd24-httpd-manual-2.4.34-23.el7.5.noarch.rpm ppc64le: httpd24-httpd-2.4.34-23.el7.5.ppc64le.rpm httpd24-httpd-debuginfo-2.4.34-23.el7.5.ppc64le.rpm httpd24-httpd-devel-2.4.34-23.el7.5.ppc64le.rpm httpd24-httpd-tools-2.4.34-23.el7.5.ppc64le.rpm httpd24-mod_ldap-2.4.34-23.el7.5.ppc64le.rpm httpd24-mod_proxy_html-2.4.34-23.el7.5.ppc64le.rpm httpd24-mod_session-2.4.34-23.el7.5.ppc64le.rpm httpd24-mod_ssl-2.4.34-23.el7.5.ppc64le.rpm s390x: httpd24-httpd-2.4.34-23.el7.5.s390x.rpm httpd24-httpd-debuginfo-2.4.34-23.el7.5.s390x.rpm httpd24-httpd-devel-2.4.34-23.el7.5.s390x.rpm httpd24-httpd-tools-2.4.34-23.el7.5.s390x.rpm httpd24-mod_ldap-2.4.34-23.el7.5.s390x.rpm httpd24-mod_proxy_html-2.4.34-23.el7.5.s390x.rpm httpd24-mod_session-2.4.34-23.el7.5.s390x.rpm httpd24-mod_ssl-2.4.34-23.el7.5.s390x.rpm x86_64: httpd24-httpd-2.4.34-23.el7.5.x86_64.rpm httpd24-httpd-debuginfo-2.4.34-23.el7.5.x86_64.rpm httpd24-httpd-devel-2.4.34-23.el7.5.x86_64.rpm httpd24-httpd-tools-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_ldap-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_proxy_html-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_session-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_ssl-2.4.34-23.el7.5.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: httpd24-httpd-2.4.34-23.el7.5.src.rpm noarch: httpd24-httpd-manual-2.4.34-23.el7.5.noarch.rpm x86_64: httpd24-httpd-2.4.34-23.el7.5.x86_64.rpm httpd24-httpd-debuginfo-2.4.34-23.el7.5.x86_64.rpm httpd24-httpd-devel-2.4.34-23.el7.5.x86_64.rpm httpd24-httpd-tools-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_ldap-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_proxy_html-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_session-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_ssl-2.4.34-23.el7.5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-33193 https://access.redhat.com/security/cve/CVE-2021-34798 https://access.redhat.com/security/cve/CVE-2021-36160 https://access.redhat.com/security/cve/CVE-2021-39275 https://access.redhat.com/security/cve/CVE-2021-44224 https://access.redhat.com/security/cve/CVE-2022-22719 https://access.redhat.com/security/cve/CVE-2022-22721 https://access.redhat.com/security/cve/CVE-2022-23943 https://access.redhat.com/security/cve/CVE-2022-26377 https://access.redhat.com/security/cve/CVE-2022-28614 https://access.redhat.com/security/cve/CVE-2022-28615 https://access.redhat.com/security/cve/CVE-2022-29404 https://access.redhat.com/security/cve/CVE-2022-30522 https://access.redhat.com/security/cve/CVE-2022-30556 https://access.redhat.com/security/cve/CVE-2022-31813 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/articles/6975397 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. The following packages have been upgraded to a later upstream version: httpd (2.4.53). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes linked from the References section. Needs documentation

Trust: 1.71

sources: NVD: CVE-2022-22719 // VULHUB: VHN-411395 // VULMON: CVE-2022-22719 // PACKETSTORM: 166355 // PACKETSTORM: 166365 // PACKETSTORM: 167188 // PACKETSTORM: 167189 // PACKETSTORM: 168565 // PACKETSTORM: 169770 // PACKETSTORM: 169845

AFFECTED PRODUCTS

vendor:applemodel:macosscope:ltversion:12.4

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:34

Trust: 1.0

vendor:oraclemodel:http serverscope:eqversion:12.2.1.4.0

Trust: 1.0

vendor:oraclemodel:zfs storage appliance kitscope:eqversion:8.8

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.15.7

Trust: 1.0

vendor:apachemodel:http serverscope:lteversion:2.4.52

Trust: 1.0

vendor:applemodel:macosscope:ltversion:10.15.7

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:36

Trust: 1.0

vendor:applemodel:macosscope:gteversion:12.0.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:35

Trust: 1.0

vendor:applemodel:macosscope:ltversion:11.6.6

Trust: 1.0

vendor:oraclemodel:http serverscope:eqversion:12.2.1.3.0

Trust: 1.0

vendor:applemodel:macosscope:gteversion:11.0

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

sources: NVD: CVE-2022-22719

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-22719
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202203-1274
value: HIGH

Trust: 0.6

VULHUB: VHN-411395
value: MEDIUM

Trust: 0.1

VULMON: CVE-2022-22719
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-22719
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-411395
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-22719
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-411395 // VULMON: CVE-2022-22719 // CNNVD: CNNVD-202203-1274 // NVD: CVE-2022-22719

PROBLEMTYPE DATA

problemtype:CWE-665

Trust: 1.1

sources: VULHUB: VHN-411395 // NVD: CVE-2022-22719

THREAT TYPE

remote

Trust: 0.8

sources: PACKETSTORM: 166355 // PACKETSTORM: 166365 // CNNVD: CNNVD-202203-1274

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202203-1274

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-411395

PATCH

title:Apache HTTP Server Enter the fix for the verification error vulnerabilityurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=186369

Trust: 0.6

title:Red Hat: url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2022-22719

Trust: 0.1

title:Ubuntu Security Notice: USN-5333-2: Apache HTTP Server vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-5333-2

Trust: 0.1

title:Ubuntu Security Notice: USN-5333-1: Apache HTTP Server vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-5333-1

Trust: 0.1

title:Amazon Linux AMI: ALAS-2022-1584url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2022-1584

Trust: 0.1

title:Red Hat: Moderate: httpd:2.4 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20227647 - Security Advisory

Trust: 0.1

title:Red Hat: Moderate: httpd security, bug fix, and enhancement updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20228067 - Security Advisory

Trust: 0.1

title:Amazon Linux 2: ALAS2-2022-1783url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2022-1783

Trust: 0.1

title:Red Hat: Moderate: httpd24-httpd security and bug fix updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226753 - Security Advisory

Trust: 0.1

title:Amazon Linux 2022: ALAS2022-2022-053url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2022&qid=ALAS2022-2022-053

Trust: 0.1

title:Apple: macOS Monterey 12.4url:https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories&qid=73857ee26a600b1527481f1deacc0619

Trust: 0.1

title:PROJET TUTEUREurl:https://github.com/PierreChrd/py-projet-tut

Trust: 0.1

title:Tier 0 Tier 1 Tier 2url:https://github.com/Totes5706/TotesHTB

Trust: 0.1

title:Requirements vulnsearch-cve Usage vulnsearch Usage Test Sampleurl:https://github.com/kasem545/vulnsearch

Trust: 0.1

title:Skyneturl:https://github.com/bioly230/THM_Skynet

Trust: 0.1

title:Shodan Search Scripturl:https://github.com/firatesatoglu/shodanSearch

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: VULMON: CVE-2022-22719 // CNNVD: CNNVD-202203-1274

EXTERNAL IDS

db:NVDid:CVE-2022-22719

Trust: 2.5

db:OPENWALLid:OSS-SECURITY/2022/03/14/4

Trust: 1.8

db:PACKETSTORMid:166355

Trust: 0.8

db:PACKETSTORMid:166365

Trust: 0.8

db:PACKETSTORMid:167189

Trust: 0.8

db:PACKETSTORMid:169770

Trust: 0.8

db:PACKETSTORMid:168565

Trust: 0.8

db:PACKETSTORMid:168072

Trust: 0.7

db:PACKETSTORMid:169845

Trust: 0.7

db:CS-HELPid:SB2022050324

Trust: 0.6

db:CS-HELPid:SB2022051703

Trust: 0.6

db:CS-HELPid:SB2022060706

Trust: 0.6

db:CS-HELPid:SB2022031504

Trust: 0.6

db:CS-HELPid:SB2022041954

Trust: 0.6

db:CS-HELPid:SB2022031727

Trust: 0.6

db:CS-HELPid:SB2022031416

Trust: 0.6

db:CS-HELPid:SB2022032127

Trust: 0.6

db:AUSCERTid:ESB-2022.1158

Trust: 0.6

db:AUSCERTid:ESB-2022.2411

Trust: 0.6

db:AUSCERTid:ESB-2022.1234

Trust: 0.6

db:AUSCERTid:ESB-2022.1078

Trust: 0.6

db:CNNVDid:CNNVD-202203-1274

Trust: 0.6

db:PACKETSTORMid:167188

Trust: 0.2

db:CNVDid:CNVD-2022-41639

Trust: 0.1

db:PACKETSTORMid:167186

Trust: 0.1

db:VULHUBid:VHN-411395

Trust: 0.1

db:VULMONid:CVE-2022-22719

Trust: 0.1

sources: VULHUB: VHN-411395 // VULMON: CVE-2022-22719 // PACKETSTORM: 166355 // PACKETSTORM: 166365 // PACKETSTORM: 167188 // PACKETSTORM: 167189 // PACKETSTORM: 168565 // PACKETSTORM: 169770 // PACKETSTORM: 169845 // CNNVD: CNNVD-202203-1274 // NVD: CVE-2022-22719

REFERENCES

url:https://support.apple.com/kb/ht213255

Trust: 1.8

url:https://support.apple.com/kb/ht213256

Trust: 1.8

url:https://support.apple.com/kb/ht213257

Trust: 1.8

url:https://security.netapp.com/advisory/ntap-20220321-0001/

Trust: 1.8

url:http://seclists.org/fulldisclosure/2022/may/38

Trust: 1.8

url:http://seclists.org/fulldisclosure/2022/may/35

Trust: 1.8

url:http://seclists.org/fulldisclosure/2022/may/33

Trust: 1.8

url:https://security.gentoo.org/glsa/202208-20

Trust: 1.8

url:https://www.oracle.com/security-alerts/cpuapr2022.html

Trust: 1.8

url:https://lists.debian.org/debian-lts-announce/2022/03/msg00033.html

Trust: 1.8

url:http://www.openwall.com/lists/oss-security/2022/03/14/4

Trust: 1.8

url:https://httpd.apache.org/security/vulnerabilities_24.html

Trust: 1.2

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/rgwilbort67shmslysqzg2nmxgcmpuzo/

Trust: 1.1

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/z7h26wj6tpknwv3qky4bhkukqvutzjtd/

Trust: 1.1

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/x73c35mmmzgbvpqqch7lqzumyznqa5fo/

Trust: 1.1

url:https://access.redhat.com/security/cve/cve-2022-22719

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/z7h26wj6tpknwv3qky4bhkukqvutzjtd/

Trust: 0.7

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/x73c35mmmzgbvpqqch7lqzumyznqa5fo/

Trust: 0.7

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/rgwilbort67shmslysqzg2nmxgcmpuzo/

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2022-22719

Trust: 0.7

url:https://nvd.nist.gov/vuln/detail/cve-2022-22721

Trust: 0.7

url:httpd.apache.org/security/vulnerabilities_24.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.1158

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.1234

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022051703

Trust: 0.6

url:https://packetstormsecurity.com/files/168565/red-hat-security-advisory-2022-6753-01.html

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-22719/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.1078

Trust: 0.6

url:https://packetstormsecurity.com/files/166355/ubuntu-security-notice-usn-5333-1.html

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022031727

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022060706

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022041954

Trust: 0.6

url:https://support.apple.com/en-us/ht213256

Trust: 0.6

url:https://packetstormsecurity.com/files/167189/apple-security-advisory-2022-05-16-4.html

Trust: 0.6

url:https://packetstormsecurity.com/files/169770/red-hat-security-advisory-2022-7647-01.html

Trust: 0.6

url:https://packetstormsecurity.com/files/169845/red-hat-security-advisory-2022-8067-01.html

Trust: 0.6

url:https://packetstormsecurity.com/files/166365/ubuntu-security-notice-usn-5333-2.html

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022031416

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022031504

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.2411

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022050324

Trust: 0.6

url:https://packetstormsecurity.com/files/168072/gentoo-linux-security-advisory-202208-20.html

Trust: 0.6

url:https://vigilance.fr/vulnerability/apache-http-server-out-of-bounds-memory-reading-via-mod-lua-37792

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022032127

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2022-23943

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2022-22720

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2021-44224

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-30556

Trust: 0.3

url:https://access.redhat.com/articles/11258

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-28614

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-29404

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-28614

Trust: 0.3

url:https://access.redhat.com/security/team/key/

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-28615

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-30522

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-28615

Trust: 0.3

url:https://access.redhat.com/security/team/contact/

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-31813

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-30556

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-30522

Trust: 0.3

url:https://bugzilla.redhat.com/):

Trust: 0.3

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-22721

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-29404

Trust: 0.3

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-23943

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2022-26377

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-26377

Trust: 0.3

url:https://ubuntu.com/security/notices/usn-5333-2

Trust: 0.2

url:https://ubuntu.com/security/notices/usn-5333-1

Trust: 0.2

url:https://support.apple.com/downloads/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-23308

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22589

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22663

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-44790

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22674

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-0530

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-26698

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-26697

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-0778

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-45444

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2018-25032

Trust: 0.2

url:https://www.apple.com/support/security/pgp/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-22665

Trust: 0.2

url:https://support.apple.com/en-us/ht201222.

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-31813

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/665.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/apache2/2.4.48-3.1ubuntu3.3

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.10

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.22

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-46059

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-0128

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4187

Trust: 0.1

url:https://support.apple.com/ht213256.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4193

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4173

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4192

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4136

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-22675

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-26706

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-26712

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-4166

Trust: 0.1

url:https://support.apple.com/ht213255.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-26726

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-26714

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-26727

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-26728

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-26748

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-26721

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-26720

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-26715

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-26722

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-26746

Trust: 0.1

url:https://access.redhat.com/articles/6975397

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-36160

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-39275

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:6753

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-34798

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-36160

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-34798

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-39275

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-44224

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-33193

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-33193

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:7647

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:8067

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

Trust: 0.1

sources: VULHUB: VHN-411395 // VULMON: CVE-2022-22719 // PACKETSTORM: 166355 // PACKETSTORM: 166365 // PACKETSTORM: 167188 // PACKETSTORM: 167189 // PACKETSTORM: 168565 // PACKETSTORM: 169770 // PACKETSTORM: 169845 // CNNVD: CNNVD-202203-1274 // NVD: CVE-2022-22719

CREDITS

Red Hat

Trust: 0.3

sources: PACKETSTORM: 168565 // PACKETSTORM: 169770 // PACKETSTORM: 169845

SOURCES

db:VULHUBid:VHN-411395
db:VULMONid:CVE-2022-22719
db:PACKETSTORMid:166355
db:PACKETSTORMid:166365
db:PACKETSTORMid:167188
db:PACKETSTORMid:167189
db:PACKETSTORMid:168565
db:PACKETSTORMid:169770
db:PACKETSTORMid:169845
db:CNNVDid:CNNVD-202203-1274
db:NVDid:CVE-2022-22719

LAST UPDATE DATE

2024-11-07T20:03:15.929000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-411395date:2022-11-02T00:00:00
db:VULMONid:CVE-2022-22719date:2023-11-07T00:00:00
db:CNNVDid:CNNVD-202203-1274date:2022-11-16T00:00:00
db:NVDid:CVE-2022-22719date:2023-11-07T03:43:58.290

SOURCES RELEASE DATE

db:VULHUBid:VHN-411395date:2022-03-14T00:00:00
db:VULMONid:CVE-2022-22719date:2022-03-14T00:00:00
db:PACKETSTORMid:166355date:2022-03-17T15:54:28
db:PACKETSTORMid:166365date:2022-03-18T15:34:37
db:PACKETSTORMid:167188date:2022-05-17T16:59:42
db:PACKETSTORMid:167189date:2022-05-17T16:59:55
db:PACKETSTORMid:168565date:2022-09-30T14:51:18
db:PACKETSTORMid:169770date:2022-11-08T13:48:57
db:PACKETSTORMid:169845date:2022-11-15T16:40:34
db:CNNVDid:CNNVD-202203-1274date:2022-03-14T00:00:00
db:NVDid:CVE-2022-22719date:2022-03-14T11:15:09.023