CVE-2022-22721
CRITICAL9.1EPSS 13.5%core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
Published: 3/14/2022Modified: 4/28/2026
Description
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
Affected packages (3)
- Alpine/apache2from 0, < 2.4.53-r0
- Bitnami/apachefrom 0, < 2.4.53
- Debian/apache2from 0, < 2.4.53-1~deb11u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
References (19)
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2022-22721
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-22721
- WEBhttp://seclists.org/fulldisclosure/2022/May/33
- WEBhttp://seclists.org/fulldisclosure/2022/May/35
- WEBhttp://seclists.org/fulldisclosure/2022/May/38
- WEBhttps://httpd.apache.org/security/vulnerabilities_24.html
- WEBhttps://lists.debian.org/debian-lts-announce/2022/03/msg00033.html
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-22721
- WEBhttps://security.gentoo.org/glsa/202208-20
- WEBhttps://security.netapp.com/advisory/ntap-20220321-0001/
- WEBhttps://support.apple.com/kb/HT213255
- WEBhttps://support.apple.com/kb/HT213256
- WEBhttps://support.apple.com/kb/HT213257
- WEBhttps://www.oracle.com/security-alerts/cpuapr2022.html
- WEBhttps://www.oracle.com/security-alerts/cpujul2022.html
- WEBhttp://www.openwall.com/lists/oss-security/2022/03/14/2