CVE-2022-26377 — mod_proxy_ajp: Possible request smuggling

Description

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.

How to fix CVE-2022-26377

To remediate CVE-2022-26377, upgrade the affected package to a fixed version below.

—upgrade to 2.4.54-r0 or later
—upgrade to 2.4.54 or later
—upgrade to 2.4.54-1~deb11u1 or later

Is CVE-2022-26377 being exploited?

Moderate — EPSS is 32.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

from 0, < 2.4.54-r0
from 0, < 2.4.54
from 0, < 2.4.54-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (9)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-26377
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-26377
WEBhttpd.apache.org/security/vulnerabilities_24.html
WEBlists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/