CVE-2022-36760

CRITICAL9.0EPSS 0.31%

Apache HTTP Server: mod_proxy_ajp Possible request smuggling

Published: 1/17/2023Modified: 4/28/2026

Description

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.

Affected packages (3)

Alpine/apache2from 0, < 2.4.55-r0
Bitnami/apache>= 2.4.0, < 2.4.55
Debian/apache2from 0, < 2.4.56-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.0	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References (5)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2022-36760
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-36760
WEBhttps://httpd.apache.org/security/vulnerabilities_24.html
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-36760
WEBhttps://security.gentoo.org/glsa/202309-01