CVE-2022-22721

CRITICAL9.1EPSS 13.5%

core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody

發布日:2022/3/14修改日:2026/4/28

描述

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

受影響套件(3)

Alpine/apache2from 0, < 2.4.53-r0
Bitnami/apachefrom 0, < 2.4.53
Debian/apache2from 0, < 2.4.53-1~deb11u1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

參考連結(19)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2022-22721
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-22721
WEBhttp://seclists.org/fulldisclosure/2022/May/33
WEBhttp://seclists.org/fulldisclosure/2022/May/35
WEBhttp://seclists.org/fulldisclosure/2022/May/38
WEBhttps://httpd.apache.org/security/vulnerabilities_24.html
WEBhttps://lists.debian.org/debian-lts-announce/2022/03/msg00033.html
WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/
WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/
WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-22721
WEBhttps://security.gentoo.org/glsa/202208-20
WEBhttps://security.netapp.com/advisory/ntap-20220321-0001/
WEBhttps://support.apple.com/kb/HT213255
WEBhttps://support.apple.com/kb/HT213256
WEBhttps://support.apple.com/kb/HT213257
WEBhttps://www.oracle.com/security-alerts/cpuapr2022.html
WEBhttps://www.oracle.com/security-alerts/cpujul2022.html
WEBhttp://www.openwall.com/lists/oss-security/2022/03/14/2