{"api_version":"1","generated_at":"2026-04-22T23:32:03+00:00","cve":"CVE-2022-26377","urls":{"html":"https://cve.report/CVE-2022-26377","api":"https://cve.report/api/cve/CVE-2022-26377.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-26377","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-26377"},"summary":{"title":"CVE-2022-26377","description":"Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2022-06-09 17:15:00","updated_at":"2023-11-07 03:44:00"},"problem_types":["CWE-444"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202208-20","name":"GLSA-202208-20","refsource":"GENTOO","tags":[],"title":"Apache HTTPD: Multiple Vulnerabilities (GLSA 202208-20) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/","name":"FEDORA-2022-e620fb15d5","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: httpd-2.4.54-3.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2022/06/08/2","name":"[oss-security] 20220608 CVE-2022-26377: Apache HTTP Server: mod_proxy_ajp: Possible request smuggling","refsource":"MLIST","tags":[],"title":"oss-security - CVE-2022-26377: Apache HTTP Server: mod_proxy_ajp: Possible\n request smuggling","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/","name":"FEDORA-2022-e620fb15d5","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: httpd-2.4.54-3.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://httpd.apache.org/security/vulnerabilities_24.html","name":"https://httpd.apache.org/security/vulnerabilities_24.html","refsource":"MISC","tags":[],"title":"Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/","name":"FEDORA-2022-b54a8dee29","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: httpd-2.4.54-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20220624-0005/","name":"https://security.netapp.com/advisory/ntap-20220624-0005/","refsource":"CONFIRM","tags":[],"title":"June 2022 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/","name":"FEDORA-2022-b54a8dee29","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: httpd-2.4.54-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-26377","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26377","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Ricter Z @ 360 Noah Lab","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"26377","vulnerable":"1","versionEndIncluding":"2.4.53","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"http_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"26377","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"26377","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"26377","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"clustered_data_ontap","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-26377","qid":"150539","title":"Apache HTTP Server 2.4.53 Multiple Vulnerabilities"},{"cve":"CVE-2022-26377","qid":"160250","title":"Oracle Enterprise Linux Security Update for httpd:2.4 (ELSA-2022-7647)"},{"cve":"CVE-2022-26377","qid":"160309","title":"Oracle Enterprise Linux Security Update for httpd (ELSA-2022-8067)"},{"cve":"CVE-2022-26377","qid":"180834","title":"Debian Security Update for apache2 (CVE-2022-26377)"},{"cve":"CVE-2022-26377","qid":"198838","title":"Ubuntu Security Notification for Apache Hypertext Transfer Protocol (HTTP) Server Vulnerabilities (USN-5487-1)"},{"cve":"CVE-2022-26377","qid":"240698","title":"Red Hat Update for httpd24-httpd (RHSA-2022:6753)"},{"cve":"CVE-2022-26377","qid":"240854","title":"Red Hat Update for httpd:2.4 (RHSA-2022:7647)"},{"cve":"CVE-2022-26377","qid":"240885","title":"Red Hat Update for httpd security (RHSA-2022:8067)"},{"cve":"CVE-2022-26377","qid":"240996","title":"Red Hat Update for JBoss Core Services (RHSA-2022:8840)"},{"cve":"CVE-2022-26377","qid":"282882","title":"Fedora Security Update for httpd (FEDORA-2022-e620fb15d5)"},{"cve":"CVE-2022-26377","qid":"282903","title":"Fedora Security Update for httpd (FEDORA-2022-b54a8dee29)"},{"cve":"CVE-2022-26377","qid":"296082","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 48.126.1 Missing (CPUJUL2022)"},{"cve":"CVE-2022-26377","qid":"353971","title":"Amazon Linux Security Advisory for httpd24 : ALAS-2022-1607"},{"cve":"CVE-2022-26377","qid":"353988","title":"Amazon Linux Security Advisory for httpd : ALAS2-2022-1812"},{"cve":"CVE-2022-26377","qid":"354482","title":"Amazon Linux Security Advisory for httpd : ALAS2022-2022-202"},{"cve":"CVE-2022-26377","qid":"354513","title":"Amazon Linux Security Advisory for httpd : ALAS2022-2022-110"},{"cve":"CVE-2022-26377","qid":"354577","title":"Amazon Linux Security Advisory for httpd : ALAS2022-2022-202"},{"cve":"CVE-2022-26377","qid":"355264","title":"Amazon Linux Security Advisory for httpd : ALAS2023-2023-072"},{"cve":"CVE-2022-26377","qid":"376863","title":"IBM Hypertext Transfer Protocol (HTTP) Server Multiple Vulnerabilities (6595149)"},{"cve":"CVE-2022-26377","qid":"501353","title":"Alpine Linux Security Update for apache2"},{"cve":"CVE-2022-26377","qid":"503857","title":"Alpine Linux Security Update for apache2"},{"cve":"CVE-2022-26377","qid":"672022","title":"EulerOS Security Update for httpd (EulerOS-SA-2022-2256)"},{"cve":"CVE-2022-26377","qid":"672041","title":"EulerOS Security Update for httpd (EulerOS-SA-2022-2270)"},{"cve":"CVE-2022-26377","qid":"672052","title":"EulerOS Security Update for httpd (EulerOS-SA-2022-2222)"},{"cve":"CVE-2022-26377","qid":"672060","title":"EulerOS Security Update for httpd (EulerOS-SA-2022-2243)"},{"cve":"CVE-2022-26377","qid":"672082","title":"EulerOS Security Update for httpd (EulerOS-SA-2022-2320)"},{"cve":"CVE-2022-26377","qid":"672128","title":"EulerOS Security Update for httpd (EulerOS-SA-2022-2291)"},{"cve":"CVE-2022-26377","qid":"672228","title":"EulerOS Security Update for httpd (EulerOS-SA-2022-2614)"},{"cve":"CVE-2022-26377","qid":"690877","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (49adfbe5-e7d1-11ec-8fbd-d4c9ef517024)"},{"cve":"CVE-2022-26377","qid":"710595","title":"Gentoo Linux Apache HTTPD Multiple Vulnerabilities (GLSA 202208-20)"},{"cve":"CVE-2022-26377","qid":"730739","title":"IBM Aspera Faspex Multiple Security Vulnerabilities (6952319)"},{"cve":"CVE-2022-26377","qid":"752247","title":"SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2101-1)"},{"cve":"CVE-2022-26377","qid":"752248","title":"SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2099-1)"},{"cve":"CVE-2022-26377","qid":"752307","title":"SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2302-1)"},{"cve":"CVE-2022-26377","qid":"752326","title":"SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2338-1)"},{"cve":"CVE-2022-26377","qid":"752331","title":"SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2022:2342-1)"},{"cve":"CVE-2022-26377","qid":"940741","title":"AlmaLinux Security Update for httpd:2.4 (ALSA-2022:7647)"},{"cve":"CVE-2022-26377","qid":"940823","title":"AlmaLinux Security Update for httpd (ALSA-2022:8067)"},{"cve":"CVE-2022-26377","qid":"960175","title":"Rocky Linux Security Update for httpd:2.4 (RLSA-2022:7647)"},{"cve":"CVE-2022-26377","qid":"960481","title":"Rocky Linux Security Update for httpd (RLSA-2022:8067)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2022-26377","STATE":"PUBLIC","TITLE":"mod_proxy_ajp: Possible request smuggling"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache HTTP Server","version":{"version_data":[{"version_affected":"<=","version_name":"Apache HTTP Server 2.4","version_value":"2.4.53"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"credit":[{"lang":"eng","value":"Ricter Z @ 360 Noah Lab"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":[{"other":"moderate"}],"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://httpd.apache.org/security/vulnerabilities_24.html","name":"https://httpd.apache.org/security/vulnerabilities_24.html"},{"refsource":"MLIST","name":"[oss-security] 20220608 CVE-2022-26377: Apache HTTP Server: mod_proxy_ajp: Possible request smuggling","url":"http://www.openwall.com/lists/oss-security/2022/06/08/2"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20220624-0005/","url":"https://security.netapp.com/advisory/ntap-20220624-0005/"},{"refsource":"FEDORA","name":"FEDORA-2022-e620fb15d5","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND/"},{"refsource":"FEDORA","name":"FEDORA-2022-b54a8dee29","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ/"},{"refsource":"GENTOO","name":"GLSA-202208-20","url":"https://security.gentoo.org/glsa/202208-20"}]},"source":{"discovery":"UNKNOWN"},"timeline":[{"lang":"eng","time":"2022-03-02","value":"Reported to security team"},{"lang":"eng","time":"2022-06-08","value":"released in 2.4.54"}]},"nvd":{"publishedDate":"2022-06-09 17:15:00","lastModifiedDate":"2023-11-07 03:44:00","problem_types":["CWE-444"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*","versionStartIncluding":"2.4.0","versionEndIncluding":"2.4.53","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}