CVE-2022-25147

Apache Portable Runtime Utility (APR-util): out-of-bounds writes in the apr_base64 family of functions

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer.

This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.

Vulnerabilidad de desbordamiento de enteros o envoltura en las funciones apr_base64 de Apache Portable Runtime Utility (APR-util) permite a un atacante escribir más allá de los límites de un búfer. Este problema afecta a Apache Portable Runtime Utility (APR-util) 1.6.1 y versiones anteriores.

A flaw was found in the Apache Portable Runtime Utility (APR-util) library. This issue may allow a malicious attacker to cause an out-of-bounds write due to an integer overflow when encoding/decoding a very long string using the base64 family of functions.

*Credits: Ronald Crane (Zippenhop LLC)

CVSS Scores

NISTv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-14 CVE Reserved
2023-01-31 CVE Published
2024-08-03 CVE Updated
2024-08-23 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-190: Integer Overflow or Wraparound

CAPEC

References (4)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20240315-0001

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/np5gjqlohc4f62lr09vrn61vl44cylh8	2024-03-15
https://access.redhat.com/security/cve/CVE-2022-25147	2023-05-31
https://bugzilla.redhat.com/show_bug.cgi?id=2169652	2023-05-31

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Portable Runtime Utility Search vendor "Apache" for product "Portable Runtime Utility"				<= 1.6.1 Search vendor "Apache" for product "Portable Runtime Utility" and version " <= 1.6.1"		-		Affected