Cyber Resilience

CVE-2022-22719

High

Published: 14 March 2022

Published
14 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.2985 96.8th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22719 is a high-severity Improper Initialization (CWE-665) vulnerability in Apple Mac Os X. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-22719 is a denial-of-service vulnerability in Apache HTTP Server versions 2.4.52 and earlier. A carefully crafted request body triggers an out-of-bounds read from a random memory location, which can terminate the worker process. The flaw is tracked under CWE-665 and carries a CVSS 3.1 base score of 7.5 reflecting network attack vector, low complexity, and high availability impact.

An unauthenticated remote attacker can trigger the condition simply by sending a single malicious HTTP request, causing the server to crash without any requirement for credentials or user interaction. Successful exploitation results only in service disruption rather than data disclosure or code execution.

Public advisories published by the Apache project and coordinated through oss-security and full-disclosure lists direct administrators to upgrade to a fixed release; the official Apache HTTP Server security page lists the corrected versions and back-port information for supported branches.

The associated EPSS probability reached a peak of 0.3615 and currently stands at 0.2985.

EU & UK References

Vulnerability details

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
http server
≤ 2.4.52
debian
debian linux
9.0
fedoraproject
fedora
34, 35, 36
oracle
http server
12.2.1.3.0, 12.2.1.4.0
oracle
zfs storage appliance kit
8.8
apple
mac os x
10.15.7
apple
macos
≤ 10.15.7 · 11.0 — 11.6.6 · 12.0.0 — 12.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-665

Ensures shared resources are explicitly initialized or cleared on allocation, preventing exposure of prior contents to new users or processes.

addresses: CWE-665

Mandates that every instance begins in a known (presumably clean) state, eliminating reliance on residual or uninitialized state left by prior executions.

References