CVE-2022-2466
Published: 31 August 2022
Summary
CVE-2022-2466 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Quarkus Quarkus. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Quarkus 2.10.x contains a flaw in which the framework fails to terminate HTTP request header context, an issue tracked as CWE-444. The affected component is the HTTP request handling layer of the Quarkus runtime, and the vulnerability received a CVSS 3.1 score of 9.8 reflecting network attackability without credentials or user interaction.
An unauthenticated remote attacker can send crafted HTTP requests that leave header context active across requests. Successful exploitation can produce unpredictable server behavior that an attacker may leverage to compromise confidentiality, integrity, and availability of the application.
The associated EPSS score has remained flat at 0.1278 with no material rise after disclosure, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6884
Vulnerability details
It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.