{"api_version":"1","generated_at":"2026-04-17T08:45:59+00:00","cve":"CVE-2022-37436","urls":{"html":"https://cve.report/CVE-2022-37436","api":"https://cve.report/api/cve/CVE-2022-37436.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-37436","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-37436"},"summary":{"title":"CVE-2022-37436","description":"Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2023-01-17 20:15:00","updated_at":"2023-09-08 22:15:00"},"problem_types":["CWE-113"],"metrics":[],"references":[{"url":"https://httpd.apache.org/security/vulnerabilities_24.html","name":"https://httpd.apache.org/security/vulnerabilities_24.html","refsource":"MISC","tags":[],"title":"Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202309-01","name":"https://security.gentoo.org/glsa/202309-01","refsource":"MISC","tags":[],"title":"Apache HTTPD: Multiple Vulnerabilities (GLSA 202309-01) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-37436","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37436","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"37436","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"http_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-37436","qid":"150640","title":"Apache HTTP Server Prior to 2.4.55 Multiple Security Vulnerabilities"},{"cve":"CVE-2022-37436","qid":"160477","title":"Oracle Enterprise Linux Security Update for httpd:2.4 (ELSA-2023-0852)"},{"cve":"CVE-2022-37436","qid":"160485","title":"Oracle Enterprise Linux Security Update for httpd (ELSA-2023-0970)"},{"cve":"CVE-2022-37436","qid":"181620","title":"Debian Security Update for apache2 (DLA 3351-1)"},{"cve":"CVE-2022-37436","qid":"181660","title":"Debian Security Update for apache2 (DSA 5376-1)"},{"cve":"CVE-2022-37436","qid":"182671","title":"Debian Security Update for apache2 (CVE-2022-37436)"},{"cve":"CVE-2022-37436","qid":"199145","title":"Ubuntu Security Notification for Apache Hypertext Transfer Protocol (HTTP) Server Vulnerabilities (USN-5839-1)"},{"cve":"CVE-2022-37436","qid":"199515","title":"Ubuntu Security Notification for Apache Hypertext Transfer Protocol (HTTP) Server Vulnerability (USN-5839-2)"},{"cve":"CVE-2022-37436","qid":"241210","title":"Red Hat Update for httpd:2.4 (RHSA-2023:0852)"},{"cve":"CVE-2022-37436","qid":"241220","title":"Red Hat Update for httpd (RHSA-2023:0970)"},{"cve":"CVE-2022-37436","qid":"241954","title":"Red Hat Update for JBoss Core Services (RHSA-2023:4629)"},{"cve":"CVE-2022-37436","qid":"283640","title":"Fedora Security Update for httpd (FEDORA-2023-f6ff3f85eb)"},{"cve":"CVE-2022-37436","qid":"283670","title":"Fedora Security Update for httpd (FEDORA-2023-6d4055d482)"},{"cve":"CVE-2022-37436","qid":"354767","title":"Amazon Linux Security Advisory for httpd : ALAS2-2023-1938"},{"cve":"CVE-2022-37436","qid":"354845","title":"Amazon Linux Security Advisory for httpd24 : ALAS-2023-1711"},{"cve":"CVE-2022-37436","qid":"355218","title":"Amazon Linux Security Advisory for httpd : ALAS2023-2023-115"},{"cve":"CVE-2022-37436","qid":"378372","title":"IBM Hypertext Transfer Protocol (HTTP) Server Multiple Vulnerabilities (6955577)"},{"cve":"CVE-2022-37436","qid":"378948","title":"Oracle Hypertext Transfer Protocol (HTTP) Server Multiple Vulnerabilities (CPUOCT2023)"},{"cve":"CVE-2022-37436","qid":"502635","title":"Alpine Linux Security Update for apache2"},{"cve":"CVE-2022-37436","qid":"503097","title":"Alpine Linux Security Update for apache2"},{"cve":"CVE-2022-37436","qid":"503858","title":"Alpine Linux Security Update for apache2"},{"cve":"CVE-2022-37436","qid":"505846","title":"Alpine Linux Security Update for apache2"},{"cve":"CVE-2022-37436","qid":"672790","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-1550)"},{"cve":"CVE-2022-37436","qid":"672801","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-1525)"},{"cve":"CVE-2022-37436","qid":"672865","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-1596)"},{"cve":"CVE-2022-37436","qid":"672903","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-1780)"},{"cve":"CVE-2022-37436","qid":"672910","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-1758)"},{"cve":"CVE-2022-37436","qid":"672999","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-1847)"},{"cve":"CVE-2022-37436","qid":"673013","title":"EulerOS Security Update for httpd (EulerOS-SA-2023-1872)"},{"cve":"CVE-2022-37436","qid":"691030","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (00919005-96a3-11ed-86e9-d4c9ef517024)"},{"cve":"CVE-2022-37436","qid":"753594","title":"SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2023:0183-1)"},{"cve":"CVE-2022-37436","qid":"753595","title":"SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2023:0185-1)"},{"cve":"CVE-2022-37436","qid":"753638","title":"SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2023:0294-1)"},{"cve":"CVE-2022-37436","qid":"753653","title":"SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2023:0321-1)"},{"cve":"CVE-2022-37436","qid":"753658","title":"SUSE Enterprise Linux Security Update for apache2 (SUSE-SU-2023:0322-1)"},{"cve":"CVE-2022-37436","qid":"905361","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (13155)"},{"cve":"CVE-2022-37436","qid":"905369","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (13167)"},{"cve":"CVE-2022-37436","qid":"905475","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (13155-1)"},{"cve":"CVE-2022-37436","qid":"905525","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (13167-1)"},{"cve":"CVE-2022-37436","qid":"940931","title":"AlmaLinux Security Update for httpd:2.4 (ALSA-2023:0852)"},{"cve":"CVE-2022-37436","qid":"940948","title":"AlmaLinux Security Update for httpd (ALSA-2023:0970)"},{"cve":"CVE-2022-37436","qid":"960655","title":"Rocky Linux Security Update for httpd:2.4 (RLSA-2023:0852)"},{"cve":"CVE-2022-37436","qid":"960890","title":"Rocky Linux Security Update for httpd (RLSA-2023:0970)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-37436","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers","cweId":"CWE-113"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache Software Foundation","product":{"product_data":[{"product_name":"Apache HTTP Server","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"2.4.55"}]}}]}}]}},"references":{"reference_data":[{"url":"https://httpd.apache.org/security/vulnerabilities_24.html","refsource":"MISC","name":"https://httpd.apache.org/security/vulnerabilities_24.html"},{"url":"https://security.gentoo.org/glsa/202309-01","refsource":"MISC","name":"https://security.gentoo.org/glsa/202309-01"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"discovery":"UNKNOWN"},"credits":[{"lang":"en","value":"Dimas Fariski Setyawan Putra (@nyxsorcerer)"}]},"nvd":{"publishedDate":"2023-01-17 20:15:00","lastModifiedDate":"2023-09-08 22:15:00","problem_types":["CWE-113"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*","versionEndExcluding":"2.4.55","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}