CVE-2022-28330

read beyond bounds in mod_isapi

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module.

Apache HTTP Server versiones 2.4.53 y anteriores en Windows, puede leer más allá de los límites cuando es configurado para procesar peticiones con el módulo mod_isapi

An out-of-bounds read vulnerability was found in the mod_isapi module of httpd. The issue occurs when httpd is configured to process requests with the mod_isapi module.

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include buffer over-read, buffer overflow, bypass, code execution, denial of service, double free, integer overflow, out of bounds read, and use-after-free vulnerabilities.

*Credits: The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-04-01 CVE Reserved
2022-06-08 CVE Published
2024-08-03 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (5)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2022/06/08/3	Mailing List
https://security.netapp.com/advisory/ntap-20220624-0005	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://httpd.apache.org/security/vulnerabilities_24.html	2022-06-24
https://access.redhat.com/security/cve/CVE-2022-28330	2022-12-08
https://bugzilla.redhat.com/show_bug.cgi?id=2095000	2022-12-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"	Http Server Search vendor "Apache" for product "Http Server"	<= 2.4.53 Search vendor "Apache" for product "Http Server" and version " <= 2.4.53"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe