CVE-2022-36760 — Apache HTTP Server: mod_proxy_ajp Possible request smuggling

Description

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.

How to fix CVE-2022-36760

To remediate CVE-2022-36760, upgrade the affected package to a fixed version below.

—upgrade to 2.4.55-r0 or later
—upgrade to 2.4.55 or later
—upgrade to 2.4.56-1~deb11u1 or later

Is CVE-2022-36760 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.4.55-r0
>= 2.4.0, < 2.4.55
from 0, < 2.4.56-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.0	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References (5)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-36760
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-36760
WEBhttpd.apache.org/security/vulnerabilities_24.html
WEBnvd.nist.gov/vuln/detail/CVE-2022-36760
WEB