Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Dev
CVE-2022-28614: Apache HTTP Server: read beyond bounds via ap_rwrite()
icing at apache
Jun 8, 2022, 2:43 AM
Post #1 of 2 (189 views)
Permalink
Severity: low

Description:

The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function.

Credit:

The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue

References:

https://httpd.apache.org/security/vulnerabilities_24.html
Re: CVE-2022-28614: Apache HTTP Server: read beyond bounds via ap_rwrite() [ In reply to ]
covener at apache
Jun 10, 2022, 10:45 AM
Post #2 of 2 (188 views)
Permalink
On Wed, Jun 8, 2022 at 5:43 AM Stefan Eissing <icing@apache.org> wrote:
>
> Severity: low
>
> Description:
>
> The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function.
>
> Credit:
>
> The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue
>
> References:
>
> https://httpd.apache.org/security/vulnerabilities_24.html

Some additional information has been added to this bulletin:

Modules compiled and distributed separately from Apache HTTP Server
that use the "ap_rputs" function and may pass it a very large (INT_MAX
or larger) string must be compiled against current headers to resolve
the issue.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal