CVE-2023-31122
Published: 23 October 2023
Summary
CVE-2023-31122 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Debian Debian Linux. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 39.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-31122 is an out-of-bounds read vulnerability, tracked as CWE-125, that affects the mod_macro module in Apache HTTP Server versions through 2.4.57. The flaw carries a CVSS 3.1 score of 7.5 with a vector indicating network attackability, low complexity, and no required privileges or user interaction, resulting in high availability impact while leaving confidentiality and integrity unaffected.
Remote attackers can trigger the flaw over the network to induce a denial-of-service condition against an unpatched server. Because the vulnerability requires no authentication or special conditions beyond sending crafted requests, any internet-facing Apache instance running an affected version is potentially reachable.
The Apache project has published details at httpd.apache.org/security/vulnerabilities_24.html, and downstream distributions including Debian and Fedora have issued coordinated advisories that direct administrators to apply the corresponding package updates.
EPSS for the CVE rose from a low baseline to a peak of 0.0574 on 2025-01-22 before receding to the current value of 0.0040, indicating a period of increased exploitation interest well after initial disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-35448
Vulnerability details
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.