CVE-2022-37436

MEDIUM5.3EPSS 0.54%

Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting

Published: 1/17/2023Modified: 4/28/2026

Description

Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

Affected packages (3)

Alpine/apache2from 0, < 2.4.55-r0
Bitnami/apachefrom 0, < 2.4.55
Debian/apache2from 0, < 2.4.56-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (5)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2022-37436
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-37436
WEBhttps://httpd.apache.org/security/vulnerabilities_24.html
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-37436
WEBhttps://security.gentoo.org/glsa/202309-01