What is CVE-2022-22721?

CVE-2022-22721 is a critical-severity vulnerability in Apache Http_server, classified under Integer Overflow or Wraparound. CVSS score: 9.1/10. Published 2022-03-14.

How severe is CVE-2022-22721?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Is CVE-2022-22721 known to be exploited?

17 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Integer overflow in Apache Http_server

CVE-2022-22721

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

Vulnerability class: Integer Overflow

EPSS: 0.419 (98.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.

Affected products

Apache Http_server
Apache Software Foundation Http Server — versions Apache HTTP Server 2.4
Apple Macos
Apple Mac_os_x — versions 10.15.7
Oracle Enterprise_manager_ops_center — versions 12.4.0.0
Oracle Http_server — versions 12.2.1.3.0, 12.2.1.4.0
Oracle Zfs_storage_appliance_kit — versions 8.8
Debian Debian_linux — versions 9.0
Fedoraproject Fedora — versions 34, 35, 36

Weakness classification (CWE)

CWE-190 — Integer Overflow or Wraparound

Public proof-of-concept exploits

References

security@apache.org (x_refsource_MISC, Vendor Advisory)
security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
security@apache.org (x_refsource_FEDORA, vendor-advisory)
security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
security@apache.org (x_refsource_FEDORA, vendor-advisory)
security@apache.org (x_refsource_FEDORA, vendor-advisory)
security@apache.org (Patch, Third Party Advisory, x_refsource_MISC)
security@apache.org (x_refsource_CONFIRM, Third Party Advisory)
security@apache.org (mailing-list, x_refsource_FULLDISC, Third Party Advisory)
security@apache.org (mailing-list, x_refsource_FULLDISC, Third Party Advisory)

Frequently asked questions

What is CVE-2022-22721?: CVE-2022-22721 is a critical-severity vulnerability in Apache Http_server, classified under Integer Overflow or Wraparound. CVSS score: 9.1/10. Published 2022-03-14.
How severe is CVE-2022-22721?: Critical severity. CVSS v3 base score is 9.1 out of 10.
Is CVE-2022-22721 known to be exploited?: 17 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.