Cyber Resilience

CVE-2022-22720

Critical

Published: 14 March 2022

Published
14 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2596 96.4th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22720 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Apple Mac Os X. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Apache HTTP Server 2.4.52 and earlier contains a flaw that prevents the server from closing an inbound connection when errors occur while discarding a request body. This behavior leaves the server exposed to HTTP request smuggling, tracked as CWE-444, and carries a CVSS 3.1 score of 9.8 reflecting network-accessible attack complexity with no required credentials or user interaction.

An unauthenticated remote attacker can send crafted requests that exploit the incomplete connection handling to smuggle additional HTTP requests. Successful exploitation can allow the attacker to bypass access controls, poison caches, or reach internal resources that would otherwise be protected by the server or front-end proxies.

The Apache HTTP Server project security page and related vendor advisories direct administrators to apply the fixes released in version 2.4.53 or later; the references also include follow-on disclosures that confirm the scope of affected configurations and recommended upgrade paths.

EPSS for the vulnerability reached a peak of 0.3337 with a current value of 0.2746, indicating measurable post-disclosure interest.

EU & UK References

Vulnerability details

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
http server
≤ 2.4.52
fedoraproject
fedora
34, 35, 36
debian
debian linux
9.0
oracle
enterprise manager ops center
12.4.0.0
oracle
http server
12.2.1.3.0, 12.2.1.4.0
oracle
zfs storage appliance kit
8.8
apple
mac os x
10.15.7
apple
macos
≤ 10.15.7 · 11.0 — 11.6.6 · 12.0 — 12.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References