CVE-2022-37436 — Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP r

Description

Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

How to fix CVE-2022-37436

To remediate CVE-2022-37436, upgrade the affected package to a fixed version below.

—upgrade to 2.4.55-r0 or later
—upgrade to 2.4.55 or later
—upgrade to 2.4.56-1~deb11u1 or later

Is CVE-2022-37436 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.4.55-r0
from 0, < 2.4.55
from 0, < 2.4.56-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (5)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-37436
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-37436
WEBhttpd.apache.org/security/vulnerabilities_24.html
WEBnvd.nist.gov/vuln/detail/CVE-2022-37436
WEB