CVE-2022-22719
Published: 14 March 2022
Summary
CVE-2022-22719 is a high-severity Improper Initialization (CWE-665) vulnerability in Apple Mac Os X. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-22719 is a denial-of-service vulnerability in Apache HTTP Server versions 2.4.52 and earlier. A carefully crafted request body triggers an out-of-bounds read from a random memory location, which can terminate the worker process. The flaw is tracked under CWE-665 and carries a CVSS 3.1 base score of 7.5 reflecting network attack vector, low complexity, and high availability impact.
An unauthenticated remote attacker can trigger the condition simply by sending a single malicious HTTP request, causing the server to crash without any requirement for credentials or user interaction. Successful exploitation results only in service disruption rather than data disclosure or code execution.
Public advisories published by the Apache project and coordinated through oss-security and full-disclosure lists direct administrators to upgrade to a fixed release; the official Apache HTTP Server security page lists the corrected versions and back-port information for supported branches.
The associated EPSS probability reached a peak of 0.3615 and currently stands at 0.2985.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-27862
Vulnerability details
A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ensures shared resources are explicitly initialized or cleared on allocation, preventing exposure of prior contents to new users or processes.
Mandates that every instance begins in a known (presumably clean) state, eliminating reliance on residual or uninitialized state left by prior executions.