CVE-2022-22720
HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier
In short
Apache HTTP Server can fail to properly close a connection when it encounters errors while processing a request, allowing attackers to send hidden HTTP requests that the server processes unexpectedly. This can lead to unauthorized actions or access to sensitive data.
Technical detail
HTTP request smuggling vulnerability where Apache HTTP Server 2.4.52 and earlier fails to close inbound connections upon encountering errors during request body discarding. An attacker can exploit improper connection handling to inject malicious requests that bypass security controls, affecting request interpretation between intermediaries and the origin server.
Summary generated and translated by AI from the official description.
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling
Affected products
Apache Software Foundation · Apache HTTP ServerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://seclists.org/fulldisclosure/2022/May/33http://seclists.org/fulldisclosure/2022/May/35http://seclists.org/fulldisclosure/2022/May/38https://httpd.apache.org/security/vulnerabilities_24.htmlhttps://lists.debian.org/debian-lts-announce/2022/03/msg00033.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/https://security.gentoo.org/glsa/202208-20https://security.netapp.com/advisory/ntap-20220321-0001/https://support.apple.com/kb/HT213255https://support.apple.com/kb/HT213256