Vulnerability DatabaseCVE-2022-22720

CVE-2022-22720:
Apache HTTP Server vulnerability analysis and mitigation

Overview

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling. The vulnerability was discovered by James Kettle and assigned CVE-2022-22720. This issue affects Apache HTTP Server versions through 2.4.52 and was fixed in version 2.4.53 released in March 2022 (Apache Vulnerabilities).

Technical details

The vulnerability has a CVSS v3.1 Base Score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue occurs when the server fails to properly close inbound connections after encountering errors while discarding the request body, which can lead to HTTP Request Smuggling attacks (NVD).

Impact

A successful exploitation of this vulnerability could allow an attacker to perform HTTP Request Smuggling attacks. This could potentially lead to request modification, cache poisoning, and bypass of access controls in the proxy server (Apache Vulnerabilities).

Mitigation and workarounds

Users should upgrade to Apache HTTP Server version 2.4.53 or later which contains the fix for this vulnerability. The issue was addressed in the March 2022 security update (Apache Vulnerabilities).

Additional resources

Source: This report was generated using AI

9.8

Score

Published March 14, 2022

Severity CRITICAL

CNA Score N/A

Affected Technologies

Apache HTTP Server
Alma Linux

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 96.7

Exploitation Probability (EPSS) 32.8

Affected packages and libraries

httpd:2.4::mod_session
mod_proxy_html

Sources

AlmaLinux Security Advisory
- AlmaLinux 8 Severity HIGHHas FixAdded at: Jul 20, 2022
Alpine Security Tracker
- Alpine 3.12, 3.13, 3.14, 3.15 Severity CRITICALHas FixAdded at: Mar 15, 2022
- Alpine 3.16 Severity CRITICALHas FixAdded at: May 24, 2022
- Alpine 3.17 Severity CRITICALHas FixAdded at: Nov 23, 2022
- Alpine 3.18 Severity CRITICALHas FixAdded at: May 10, 2023
- Alpine 3.19 Severity CRITICALHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity CRITICALHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity CRITICALHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity CRITICALHas FixAdded at: Jun 01, 2025
- Alpine edge Severity CRITICALHas FixAdded at: Jun 19, 2023
CBL-Mariner
- CBL-Mariner 1.0, 2.0 Severity CRITICALHas FixAdded at: Jun 10, 2023
Debian Security Tracker
- Debian 9 Severity CRITICALHas FixAdded at: Mar 22, 2022
- Debian 10 Severity CRITICALHas FixAdded at: Mar 28, 2022
- Debian 11 Severity CRITICALHas FixAdded at: Mar 26, 2022
- Debian 12 Severity CRITICALHas FixAdded at: Mar 18, 2022
- Debian 13 Severity CRITICALHas FixAdded at: Jun 11, 2023
Gentoo Advisory Database
- Gentoo Severity HIGHHas FixAdded at: Aug 14, 2022
Photon Security Advisory
- Photon 1.0, 2.0, 3.0 Severity CRITICALHas FixAdded at: May 21, 2022
- Photon 4.0 Severity CRITICALHas FixAdded at: May 23, 2022
Red Hat Errata
- Red Hat 6 Severity HIGHHas FixAdded at: Feb 19, 2025
- Red Hat 7 Severity HIGHHas FixAdded at: Mar 17, 2022
- Red Hat 8 Severity HIGHHas FixAdded at: Mar 17, 2022
Ubuntu Security Tracker
- Ubuntu 14.04, 16.04 Severity MEDIUMHas FixAdded at: Mar 28, 2022
- Ubuntu 18.04, 20.04 Severity MEDIUMHas FixAdded at: Mar 16, 2022
- Ubuntu 21.10, 22.04 Severity MEDIUMHas FixAdded at: Nov 01, 2022
NVD
- Linux Severity CRITICALHas FixAdded at: Mar 18, 2022
- Windows Severity CRITICALHas FixAdded at: Mar 15, 2022