CVE-2022-28614

CVE-2022-28614: read beyond bounds via ap_rwrite()

Vendor Apache Software Foundation
Product Apache HTTP Server
Weakness CWE-190
Published June 8, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue.

Key dates

02Disclosure timeline

June 8, 2022 CVE published
August 3, 2024 Record updated