Cyber Resilience

CVE-2022-2466

CriticalPublic PoC

Published: 31 August 2022

Published
31 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1278 94.2th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2466 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Quarkus Quarkus. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Quarkus 2.10.x contains a flaw in which the framework fails to terminate HTTP request header context, an issue tracked as CWE-444. The affected component is the HTTP request handling layer of the Quarkus runtime, and the vulnerability received a CVSS 3.1 score of 9.8 reflecting network attackability without credentials or user interaction.

An unauthenticated remote attacker can send crafted HTTP requests that leave header context active across requests. Successful exploitation can produce unpredictable server behavior that an attacker may leverage to compromise confidentiality, integrity, and availability of the application.

The associated EPSS score has remained flat at 0.1278 with no material rise after disclosure, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

quarkus
quarkus
2.10.0 — 2.10.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References