CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: announce@xxxxxxxxxx, users@xxxxxxxxxxxxxxxx
- Subject: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting
- From: Eric Covener <covener@xxxxxxxxxx>
- Date: Tue, 17 Jan 2023 19:09:35 +0000
- Reply-to: users@xxxxxxxxxxxxxxxx
Severity: moderate
Description:
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
Credit:
Dimas Fariski Setyawan Putra (@nyxsorcerer) (finder)
References:
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2022-37436
Timeline:
2022-07-14: Reported to security team
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]
[Open SSH Users]
[Linux ACPI]
[Linux Kernel]
[Linux Laptop]
[Kernel Newbies]
[Security]
[Netfilter]
[Bugtraq]
[Squid]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Samba]
[Video 4 Linux]
[Device Mapper]