CVE-2022-29404: 
Apache HTTP Server vulnerability analysis and mitigation

CVE-2022-29404 affects Apache HTTP Server 2.4.53 and earlier versions. The vulnerability involves a malicious request to a lua script that calls r:parsebody(0) which may cause a denial of service due to no default limit on possible input size. This vulnerability was discovered by Ronald Crane from Zippenhop LLC and was fixed in Apache HTTP Server version 2.4.54 (Apache Advisory).

The vulnerability exists in the mod_lua module of Apache HTTP Server where a request to a Lua script calling the parsebody(0) function could lead to a denial of service condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely with no privileges required (NVD, NetApp Advisory).

When successfully exploited, this vulnerability can lead to a denial of service condition due to unrestricted resource consumption. The absence of a default limit on possible input size when processing request bodies through the r:parsebody(0) function can allow attackers to exhaust server resources (Apache Advisory, NetApp Advisory).

The vulnerability was fixed in Apache HTTP Server version 2.4.54. To address this issue, users should upgrade to version 2.4.54 or later. Additionally, in version 2.4.54, the default value for the 'LimitRequestBody' directive has been changed from 0 (unlimited) to 1 GiB to prevent such attacks (Red Hat Advisory).