CVE-2022-22721
core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
9.1
CRITICAL
CVSS 3.1
EPSS 13.5%
Description
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
How to fix CVE-2022-22721
To remediate CVE-2022-22721, upgrade the affected package to a fixed version below.
- —upgrade to 2.4.53-r0 or later
- —upgrade to 2.4.53 or later
- —upgrade to 2.4.53-1~deb11u1 or later
Is CVE-2022-22721 being exploited?
Moderate — EPSS is 13.5%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (3)
- from 0, < 2.4.53-r0
- from 0, < 2.4.53
- from 0, < 2.4.53-1~deb11u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |