CVE-2022-26377
mod_proxy_ajp: Possible request smuggling
In short
A flaw in Apache HTTP Server's mod_proxy_ajp module allows attackers to send hidden requests to backend AJP servers by exploiting how the module interprets HTTP requests differently than intended. This can lead to unauthorized actions or data exposure on the backend server.
Technical detail
HTTP Request Smuggling vulnerability in mod_proxy_ajp exploits inconsistent interpretation of HTTP requests between the Apache proxy and the AJP backend server. An attacker can craft malicious HTTP requests that are parsed differently by the proxy and backend, allowing request smuggling to execute unintended commands on the AJP server. Affects Apache HTTP Server 2.4.53 and earlier versions.
Summary generated and translated by AI from the official description.
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
Affected products
Apache Software Foundation · Apache HTTP ServerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://httpd.apache.org/security/vulnerabilities_24.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/https://security.gentoo.org/glsa/202208-20https://security.netapp.com/advisory/ntap-20220624-0005/http://www.openwall.com/lists/oss-security/2022/06/08/2