Cyber Resilience

CVE-2023-31122

High

Published: 23 October 2023

Published
23 October 2023
Modified
01 August 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0040 60.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-31122 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Debian Debian Linux. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 39.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-31122 is an out-of-bounds read vulnerability, tracked as CWE-125, that affects the mod_macro module in Apache HTTP Server versions through 2.4.57. The flaw carries a CVSS 3.1 score of 7.5 with a vector indicating network attackability, low complexity, and no required privileges or user interaction, resulting in high availability impact while leaving confidentiality and integrity unaffected.

Remote attackers can trigger the flaw over the network to induce a denial-of-service condition against an unpatched server. Because the vulnerability requires no authentication or special conditions beyond sending crafted requests, any internet-facing Apache instance running an affected version is potentially reachable.

The Apache project has published details at httpd.apache.org/security/vulnerabilities_24.html, and downstream distributions including Debian and Fedora have issued coordinated advisories that direct administrators to apply the corresponding package updates.

EPSS for the CVE rose from a low baseline to a peak of 0.0574 on 2025-01-22 before receding to the current value of 0.0040, indicating a period of increased exploitation interest well after initial disclosure.

EU & UK References

Vulnerability details

Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

debian
debian linux
10.0
apache
http server
≤ 2.4.58
fedoraproject
fedora
38

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References