First published: Tue Jan 31 2023(Updated: )
Apache Portable Runtime (APR) could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the apr_socket_sendv() function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Portable Runtime | <=1.7.0 | |
Microsoft Windows | ||
IBM Engineering Requirements Management DOORS | <=9.7.2.8 | |
IBM Engineering Requirements Management DOORS Web Access | <=9.7.2.8 | |
IBM IBM® Rational DOORS/DOORS Web Access | <=9.6.1.x |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2022-28331 is critical with a CVSS v3 score of 9.8.
The Apache Portable Runtime version 1.7.0 and earlier on Windows is affected by CVE-2022-28331.
CVE-2022-28331 may allow an attacker to write beyond the end of a stack-based buffer in apr_socket_sendv() on Windows systems.
No, Microsoft Windows systems are not vulnerable to CVE-2022-28331.
Update to Apache Portable Runtime version 1.7.1 or later to fix CVE-2022-28331.