Vulnerability DatabaseCVE-2022-36760

CVE-2022-36760:
Apache HTTP Server vulnerability analysis and mitigation

Overview

CVE-2022-36760 is an Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability discovered in the modproxyajp module of Apache HTTP Server. The vulnerability affects Apache HTTP Server 2.4.54 and prior versions, and was disclosed on January 17, 2023. This security flaw allows an attacker to smuggle requests to the AJP server that receives forwarded requests (Apache Security).

Technical details

The vulnerability exists in the modproxyajp module of Apache HTTP Server and is classified as a request smuggling vulnerability. The CVSS base score for this vulnerability is 9.0 (Critical), indicating a high severity level. The vulnerability stems from inconsistent interpretation of HTTP requests that can be exploited when requests are forwarded to an AJP server (Ubuntu CVE).

Impact

When successfully exploited, this vulnerability allows an attacker to smuggle requests to the AJP server that receives forwarded requests from the Apache HTTP Server. This could potentially lead to unauthorized access, request manipulation, or other security implications for the backend AJP server (MITRE CVE).

Mitigation and workarounds

The vulnerability has been fixed in Apache HTTP Server version 2.4.55. Users are recommended to upgrade to this version or later to address the security issue. Various Linux distributions have also released security updates to patch this vulnerability (Gentoo Security).

Additional resources

Source: This report was generated using AI

9

Score

Published January 17, 2023

Severity CRITICAL

CNA Score 9.0

Affected Technologies

Apache HTTP Server
Rocky Linux

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 52.3

Exploitation Probability (EPSS) 0.3

Affected packages and libraries

apache2-worker
mod24_proxy_html

Sources

AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: Feb 22, 2023
- AlmaLinux 9 Severity MEDIUMHas FixAdded at: Feb 28, 2023
Alpine Security Tracker
- Alpine 3.14, 3.15, 3.16, 3.17 Severity CRITICALHas FixAdded at: Jan 18, 2023
- Alpine 3.18 Severity CRITICALHas FixAdded at: May 10, 2023
- Alpine 3.19 Severity CRITICALHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity CRITICALHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity CRITICALHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity CRITICALHas FixAdded at: Jun 01, 2025
- Alpine edge Severity CRITICALHas FixAdded at: Jun 19, 2023
CBL-Mariner
- CBL-Mariner 1.0, 2.0 Severity CRITICALHas FixAdded at: Jun 10, 2023
Debian Security Tracker
- Debian 10, 11, 12 Severity CRITICALHas FixAdded at: Jan 18, 2023
- Debian 13 Severity CRITICALHas FixAdded at: Jun 11, 2023
Gentoo Advisory Database
- Gentoo Severity LOWHas FixAdded at: Sep 09, 2023
Photon Security Advisory
- Photon 3.0 Severity CRITICALHas FixAdded at: Feb 01, 2023
- Photon 4.0 Severity CRITICALHas FixAdded at: Feb 05, 2023
Red Hat Errata
- Red Hat 6, 7 Severity MEDIUMNo FixAdded at: Feb 28, 2023
- Red Hat 8 Severity MEDIUMHas FixAdded at: Feb 21, 2023
- Red Hat 9 Severity MEDIUMHas FixAdded at: Feb 28, 2023
Rocky Linux Product Errata
- Rocky 9 Severity MEDIUMHas FixAdded at: May 14, 2023
Ubuntu Security Tracker
- Ubuntu 16.04, 18.04, 20.04, 22.04, 22.10 Severity MEDIUMHas FixAdded at: Jan 24, 2023
- Ubuntu 23.04 Severity MEDIUMHas FixAdded at: May 14, 2023
- Ubuntu 23.10 Severity MEDIUMHas FixAdded at: Oct 31, 2023
- Ubuntu 24.04 Severity MEDIUMHas FixAdded at: May 06, 2024
- Ubuntu 24.10 Severity MEDIUMHas FixAdded at: Dec 10, 2024
- Ubuntu 25.04 Severity MEDIUMHas FixAdded at: May 08, 2025
NVD
- Linux Severity CRITICALHas FixAdded at: Jan 25, 2023
- Windows Severity CRITICALHas FixAdded at: Jan 25, 2023