Описание
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.
An out-of-bounds read vulnerability was found in httpd. A very large input to the ap_strcmp_match function can lead to an integer overflow and result in an out-of-bounds read.
Отчет
According to upstream, no code distributed with the httpd server can exploit this flaw, however, third-party modules or Lua scripts that use the ap_strcmp_match function could potentially be affected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | httpd | Out of support scope | ||
| Red Hat Enterprise Linux 7 | httpd | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | httpd22 | Out of support scope | ||
| Red Hat JBoss Web Server 3 | httpd24 | Fix deferred | ||
| JBoss Core Services for RHEL 8 | jbcs-httpd24-httpd | Fixed | RHSA-2022:8840 | 08.12.2022 |
| JBoss Core Services on RHEL 7 | jbcs-httpd24-httpd | Fixed | RHSA-2022:8840 | 08.12.2022 |
| Red Hat Enterprise Linux 8 | httpd | Fixed | RHSA-2022:7647 | 08.11.2022 |
| Red Hat Enterprise Linux 9 | httpd | Fixed | RHSA-2022:8067 | 15.11.2022 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | httpd24-httpd | Fixed | RHSA-2022:6753 | 29.09.2022 |
| Text-Only JBCS | httpd | Fixed | RHSA-2022:8841 | 08.12.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
Связанные уязвимости
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.
Apache HTTP Server 2.4.53 and earlier may crash or disclose informatio ...
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.
Уязвимость функции ap_strcmp_match() веб-сервера Apache HTTP Server, позволяющая нарушителю вызвать отказ в обслуживании или получить несанкционированный доступ к защищаемой информации
EPSS
7.4 High
CVSS3