// For flags

CVE-2022-38114

Client-Side Desync Vulnerability

Severity Score

6.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

This vulnerability occurs when a web server fails to correctly process the Content-Length of POST requests. This can lead to HTTP request smuggling or XSS.

Esta vulnerabilidad ocurre cuando un servidor web no logra procesar correctamente la longitud del contenido de las solicitudes POST. Esto puede provocar tráfico ilegal de solicitudes HTTP o XSS.

*Credits: SolarWinds would like to thank Ken Pyle of CYBIR for disclosing this vulnerability to us responsibly.
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-08-09 CVE Reserved
  • 2022-11-23 CVE Published
  • 2024-06-15 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Solarwinds
Search vendor "Solarwinds"
 Security Event Manager
Search vendor "Solarwinds" for product "Security Event Manager"
 < 2022.4
Search vendor "Solarwinds" for product "Security Event Manager" and version " < 2022.4"
-
Affected