CVE-2022-24963
Published: 31 January 2023
Summary
CVE-2022-24963 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Apache Portable Runtime. Its CVSS base score is 9.8 (Critical).
Operationally, ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2022-24963 is an integer overflow or wraparound weakness in the apr_encode functions of Apache Portable Runtime (APR) 1.7.0 that allows an attacker to write beyond the bounds of a buffer. It carries a CVSS 3.1 score of 9.8 and is tracked under CWE-190.
An unauthenticated remote attacker can exploit the flaw over the network without user interaction to compromise confidentiality, integrity, and availability on affected systems.
Public advisories referenced by Apache and NetApp outline the issue and recommended actions for users of APR 1.7.0.
The associated EPSS score rose from a low baseline to a peak of 0.1148 on 2025-01-22 before receding, indicating that exploitation interest emerged after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29715
Vulnerability details
Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.