CVE-2022-23943
Published on: Not Yet Published
Last Modified on: 10/26/2022 05:56:00 PM UTC
Certain versions of Http Server from Apache contain the following vulnerability:
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.
- CVE-2022-23943 has been assigned by
[email protected] to track the vulnerability - currently rated as CRITICAL severity. - Affected Vendor/Software: Apache Software Foundation - Apache HTTP Server version <= 2.4.52
CVSS3 Score: 9.8 - CRITICAL
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|---|---|---|---|
| NETWORK | LOW | NONE | NONE |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
| UNCHANGED | HIGH | HIGH | HIGH |
CVSS2 Score: 7.5 - HIGH
| Access Vector ⓘ |
Access Complexity |
Authentication |
|---|---|---|
| NETWORK | LOW | NONE |
| Confidentiality Impact |
Integrity Impact |
Availability Impact |
| PARTIAL | PARTIAL | PARTIAL |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| Apache HTTPD: Multiple Vulnerabilities (GLSA 202208-20) — Gentoo security | security.gentoo.org text/html |
GENTOO GLSA-202208-20 |
| Oracle Critical Patch Update Advisory - April 2022 | www.oracle.com text/html |
MISC www.oracle.com/security-alerts/cpuapr2022.html |
| [SECURITY] [DLA 2960-1] apache2 security update | lists.debian.org text/html |
MLIST [debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update |
| March 2022 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security | security.netapp.com text/html |
CONFIRM security.netapp.com/advisory/ntap-20220321-0001/ |
| [R1] Tenable.sc 5.21.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory | Tenable® | www.tenable.com text/html |
CONFIRM www.tenable.com/security/tns-2022-09 |
| oss-security - CVE-2022-23943: Apache HTTP Server: mod_sed: Read/write beyond bounds | www.openwall.com text/html |
MLIST [oss-security] 20220314 CVE-2022-23943: Apache HTTP Server: mod_sed: Read/write beyond bounds |
| Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project | httpd.apache.org text/html |
MISC httpd.apache.org/security/vulnerabilities_24.html |
| [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.19.0 to 5.20.1: Patch 202204.1 - Security Advisory | Tenable® | www.tenable.com text/html |
CONFIRM www.tenable.com/security/tns-2022-08 |
| [SECURITY] Fedora 36 Update: httpd-2.4.53-1.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
FEDORA FEDORA-2022-78e3211c55 |
| [SECURITY] Fedora 34 Update: httpd-2.4.53-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
FEDORA FEDORA-2022-21264ec6db |
| [SECURITY] Fedora 35 Update: httpd-2.4.53-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
FEDORA FEDORA-2022-b4103753e9 |
Related QID Numbers
- 150515 Apache HTTP Server 2.4.53 Multiple Vulnerabilities
- 160250 Oracle Enterprise Linux Security Update for httpd:2.4 (ELSA-2022-7647)
- 160309 Oracle Enterprise Linux Security Update for httpd (ELSA-2022-8067)
- 179151 Debian Security Update for apache2 (DLA 2960-1)
- 179203 Debian Security Update for apache2 (CVE-2022-23943)
- 198705 Ubuntu Security Notification for Apache Hypertext Transfer Protocol (HTTP) Server Vulnerabilities (USN-5333-1)
- 240698 Red Hat Update for httpd24-httpd (RHSA-2022:6753)
- 240854 Red Hat Update for httpd:2.4 (RHSA-2022:7647)
- 240885 Red Hat Update for httpd security (RHSA-2022:8067)
- 240996 Red Hat Update for JBoss Core Services (RHSA-2022:8840)
- 282500 Fedora Security Update for httpd (FEDORA-2022-b4103753e9)
- 282521 Fedora Security Update for httpd (FEDORA-2022-21264ec6db)
- 296057 Oracle Solaris 11.4 Support Repository Update (SRU) 44.113.4 Missing (bulletinapr2022)
- 353269 Amazon Linux Security Advisory for httpd : ALAS2-2022-1783
- 353274 Amazon Linux Security Advisory for httpd24 : ALAS-2022-1584
- 354481 Amazon Linux Security Advisory for httpd : ALAS2022-2022-053
- 354482 Amazon Linux Security Advisory for httpd : ALAS2022-2022-202
- 354577 Amazon Linux Security Advisory for httpd : ALAS2022-2022-202
- 377648 Oracle Hypertext Transfer Protocol Server (HTTP Server) Multiple Vulnerabilities(CPUOCT2022)
- 500026 Alpine Linux Security Update for apache2
- 590870 Mitsubishi Electric MELSOFT iQ AppPortal Multiple Vulnerabilities (ICSA-22-132-02)
- 671578 EulerOS Security Update for httpd (EulerOS-SA-2022-1569)
- 671659 EulerOS Security Update for httpd (EulerOS-SA-2022-1730)
- 671739 EulerOS Security Update for httpd (EulerOS-SA-2022-1790)
- 671758 EulerOS Security Update for httpd (EulerOS-SA-2022-1807)
- 671800 EulerOS Security Update for httpd (EulerOS-SA-2022-1843)
- 671812 EulerOS Security Update for httpd (EulerOS-SA-2022-1867)
- 671851 EulerOS Security Update for httpd (EulerOS-SA-2022-1893)
- 690812 Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (6601c08d-a46c-11ec-8be6-d4c9ef517024)
- 710595 Gentoo Linux Apache HTTPD Multiple Vulnerabilities (GLSA 202208-20)
- 730403 Apache Hypertext Transfer Protocol (HTTP) Server Out-of-bounds Write Vulnerability
- 751909 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:0928-1)
- 751912 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:0918-1)
- 751918 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:0929-1)
- 751936 SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:1031-1)
- 751942 OpenSUSE Security Update for apache2 (openSUSE-SU-2022:1031-1)
- 900757 Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (9008)
- 901589 Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (9018-1)
- 940741 AlmaLinux Security Update for httpd:2.4 (ALSA-2022:7647)
- 940823 AlmaLinux Security Update for httpd (ALSA-2022:8067)
- 960175 Rocky Linux Security Update for httpd:2.4 (RLSA-2022:7647)
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Http Server | All | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Operating System | Fedoraproject | Fedora | 36 | All | All | All |
| Application | Oracle | Http Server | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Http Server | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Zfs Storage Appliance Kit | 8.8 | All | All | All |
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*:
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*:
Discovery Credit
Ronald Crane (Zippenhop LLC)
Social Mentions
| Source | Title | Posted (UTC) |
|---|---|---|
 @CVEreport |
CVE-2022-23943 : Out-of-bounds Write vulnerability in mod_sed of #Apache HTTP Server allows an attacker to overwrit… twitter.com/i/web/status/1… | 2022-03-14 10:20:10 |
 /r/netcve |
CVE-2022-23943 | 2022-03-14 11:38:08 |
| /r/vulnintel |
Apache has released HTTP Server 2.4.53 addressing 4 vulnerabilities | 2022-03-14 10:48:29 |
| /r/AlmaLinux |
How long until apache httpd update? | 2022-05-11 16:49:27 |
| /r/Checkmk |
Apache httpd 2.4.52 ((Ubuntu)) | 2022-10-28 18:38:31 |
| /r/fortinet |
FortiEMS patching critical CVE security flaws without a PSIRT report ? | 2022-11-15 12:00:27 |