CVE-2022-22720
Published: 14 March 2022
Summary
CVE-2022-22720 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Apple Mac Os X. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Apache HTTP Server 2.4.52 and earlier contains a flaw that prevents the server from closing an inbound connection when errors occur while discarding a request body. This behavior leaves the server exposed to HTTP request smuggling, tracked as CWE-444, and carries a CVSS 3.1 score of 9.8 reflecting network-accessible attack complexity with no required credentials or user interaction.
An unauthenticated remote attacker can send crafted requests that exploit the incomplete connection handling to smuggle additional HTTP requests. Successful exploitation can allow the attacker to bypass access controls, poison caches, or reach internal resources that would otherwise be protected by the server or front-end proxies.
The Apache HTTP Server project security page and related vendor advisories direct administrators to apply the fixes released in version 2.4.53 or later; the references also include follow-on disclosures that confirm the scope of affected configurations and recommended upgrade paths.
EPSS for the vulnerability reached a peak of 0.3337 with a current value of 0.2746, indicating measurable post-disclosure interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-27863
Vulnerability details
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.