CVE-2022-37436

Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

CVSS v3.0 5.3 MEDIUM

5.3^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://httpd.apache.org/security/vulnerabilities_24.html	Release Notes Vendor Advisory
https://httpd.apache.org/security/vulnerabilities_24.html	Release Notes Vendor Advisory
https://security.gentoo.org/glsa/202309-01
https://security.gentoo.org/glsa/202309-01

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

History

04 Apr 2025, 18:15

Type	Values Removed	Values Added
CWE	~~CWE-436~~	CWE-113
References		() https://security.gentoo.org/glsa/202309-01 -
References	~~(MISC) https://httpd.apache.org/security/vulnerabilities_24.html - Release Notes, Vendor Advisory~~	() https://httpd.apache.org/security/vulnerabilities_24.html - Release Notes, Vendor Advisory

Information

Published : 2023-01-17 20:15

Updated : 2025-04-04 18:15

NVD link : CVE-2022-37436

Mitre link : CVE-2022-37436

JSON object : View

Products Affected

apache

http_server

CWE

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

5.3 /10