CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting
First published: Tue Jan 17 2023(Updated: )
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/httpd | <2.4.55 | 2.4.55 |
| Apache Http Server | <2.4.55 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=17.1.0<=17.1.2 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=16.1.0<=16.1.5 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=15.1.0<=15.1.10 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=14.1.0<=14.1.5 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=13.1.0<=13.1.5 | |
| F5 F5OS | >=1.3.0<=1.3.2 | |
| F5 F5OS | >=1.5.0<=1.5.1>=1.3.0<=1.3.2 | |
| F5 Traffix Systems Signaling Delivery Controller | =5.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://www.openwall.com/lists/oss-security/2023/01/17/7
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2162094
- https://access.redhat.com/errata/RHSA-2023:0852
- https://access.redhat.com/errata/RHSA-2023:0970
- https://access.redhat.com/security/cve/cve-2022-37436
- https://access.redhat.com/errata/RHSA-2023:4628
- https://access.redhat.com/errata/RHSA-2023:4629
- https://bugzilla.redhat.com/show_bug.cgi?id=2161773
- https://security.gentoo.org/glsa/202309-01
- https://my.f5.com/manage/s/article/K000132665
Frequently Asked Questions
What is CVE-2022-37436?
CVE-2022-37436 is a vulnerability in Apache HTTP Server prior to version 2.4.55 that allows a malicious backend to truncate response headers, resulting in some headers being incorporated into the response body.
How does CVE-2022-37436 affect Apache HTTP Server?
CVE-2022-37436 affects Apache HTTP Server versions prior to 2.4.55.
What is the severity of CVE-2022-37436?
CVE-2022-37436 has a severity of medium with a CVSS score of 5.3.
What is the CWE ID of CVE-2022-37436?
CVE-2022-37436 is associated with CWE IDs 113 and 436.
How can I fix CVE-2022-37436?
To fix CVE-2022-37436, upgrade your Apache HTTP Server to version 2.4.55 or later.
- agent/weakness
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-37436
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/description
- agent/first-publish-date
- agent/last-modified-date
- agent/source
- agent/author
- agent/severity
- agent/references
- agent/event
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- collector/f5-advisory
- source/F5
- package-manager/redhat
- vendor/apache
- canonical/apache http server
- vendor/f5
- canonical/f5 big-ip and big-iq centralized management
- version/f5 big-ip and big-iq centralized management/17.1.0
- version/f5 big-ip and big-iq centralized management/17.1.2
- version/f5 big-ip and big-iq centralized management/16.1.0
- version/f5 big-ip and big-iq centralized management/16.1.5
- version/f5 big-ip and big-iq centralized management/15.1.0
- version/f5 big-ip and big-iq centralized management/15.1.10
- version/f5 big-ip and big-iq centralized management/14.1.0
- version/f5 big-ip and big-iq centralized management/14.1.5
- version/f5 big-ip and big-iq centralized management/13.1.0
- version/f5 big-ip and big-iq centralized management/13.1.5
- canonical/f5 f5os
- version/f5 f5os/1.3.0
- version/f5 f5os/1.3.2
- version/f5 f5os/1.5.0
- version/f5 f5os/1.5.1
- canonical/f5 traffix systems signaling delivery controller
- version/f5 traffix systems signaling delivery controller/5.2.0