CVE-2022-23943 — mod_sed: Read/write beyond bounds

Description

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.

How to fix CVE-2022-23943

To remediate CVE-2022-23943, upgrade the affected package to a fixed version below.

Alpine/apache2—upgrade to 2.4.53-r0 or later
—upgrade to 2.4.53 or later
—upgrade to 2.4.53-1~deb11u1 or later

Is CVE-2022-23943 being exploited?

Likely — EPSS is 60.6%, placing CVE-2022-23943 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

from 0, < 2.4.53-r0
from 0, < 2.4.53
from 0, < 2.4.53-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (14)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-23943
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-23943
WEBhttpd.apache.org/security/vulnerabilities_24.html
WEBlists.debian.org/debian-lts-announce/2022/03/msg00033.html