Threat Encyclopedia

Memory Allocation, Out of Bounds Read, Integer Overflow, HTTP Request Smuggling, Information Disclosure, and Insufficient Verification of Data Authenticity Vulnerabilities for Apache HTTP Server

description-logoDescription

Apache HTTP Server 2.4.53 and earlier if configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abor, also a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. HTTP Request Smuggling vulnerability exists in mod_proxy_ajp of Apache HTTP Server, which allows an attacker to smuggle requests to the AJP server it forwards requests to. A read beyond bounds when configured to process requests with the mod_isapi module is also seen. An integer overflow vulnerability is also seen with the ap_rwrite() function where an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue. Integer oveflow can also be triggered when ap_strcmp_match() is provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. Insufficient Verification of Data Authenticity due to X-Forwarded-* headers not being sent to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Exposing information because r:wsread() that point past the end of the storage allocated for the buffer.

affected-products-logoAffected Applications

HTTP Server

Telemetry logoTelemetry