Denial of service in mod_lua r:parsebody
CVE-2022-29404

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 9 June 2022

Summary

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.

Affected Version(s)

Apache HTTP Server <= 2.4.53

References

https://httpd.apache.org/security/vulnerabilities_24.html

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2022/06/08/5

mailing-listx_refsource_MLIST

https://security.netapp.com/advisory/ntap-20220624-0005/

x_refsource_CONFIRM

EPSS Score

2% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 9, 2022
Vulnerability Reserved
Apr 16, 2022

Collectors

NVD DatabaseMitre Database

Credit

The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue