The detection of at least four vulnerabilities in Apache HTTP Server has been confirmed. According to information security specialists, the successful exploitation of these flaws would allow the deployment of multiple hacking scenarios.
Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned under the Common Vulnerability Scoring System (CVSS).
CVE-2022-23943: A boundary error when processing unverified entries in mod_sed would allow remote threat actors to trigger an off-limits write and execute arbitrary code on the affected system.
The flaw received a CVSS score of 8.5/10 and is considered a critical security bug.
CVE-2022-22721: A boundary error within LimitXMLRequestBody would allow remote threat actors to trigger a scenario of memory corruption and arbitrary code execution on the compromised system.
The flaw received a CVSS score of 8.5/10 and its successful exploitation could result in a complete compromise of the affected system.
CVE-2022-22720: Improper validation of HTTP requests would allow remote hackers to send specially crafted HTTP requests to the affected server for the deployment of arbitrary HTTP header smuggling attacks.
This is a flaw of medium severity and received a CVSS score of 5.3/10.
CVE-2022-22719: Using a non-initialized value in r:parsebody would allow remote threat actors to pass specially crafted entries to the affected application and deploy denial-of-service (DoS) attacks.
The flaw received a CVSS score of 6.5/10.
According to the report, the vulnerabilities reside in all versions of Apache HTTP Server between v2.4.0 and v2.4.52.
While flaws can be exploited by unauthenticated threat actors, no active exploitation attempts have been detected so far. Still, information security specialists recommend users of affected deployments upgrade as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.