content/security/json/CVE-2022-28614.json - httpd-site - Git at Google

 {
   "data_type": "CVE",
   "data_format": "MITRE",
   "data_version": "4.0",
   "generator": {
     "engine": "Vulnogram 0.0.9"
   },
   "CVE_data_meta": {
     "ID": "CVE-2022-28614",
     "ASSIGNER": "security@apache.org",
     "DATE_PUBLIC": "",
     "TITLE": "read beyond bounds via ap_rwrite() ",
     "AKA": "",
     "STATE": "PUBLIC"
   },
   "source": {
     "defect": [],
     "advisory": "",
     "discovery": "UNKNOWN"
   },
   "affects": {
     "vendor": {
       "vendor_data": [
         {
           "vendor_name": "Apache Software Foundation",
           "product": {
             "product_data": [
               {
                 "product_name": "Apache HTTP Server",
                 "version": {
                   "version_data": [
                     {
                       "version_name": "",
                       "version_affected": "<=",
                       "version_value": "2.4.53",
                       "platform": ""
                     }
                   ]
                 }
               }
             ]
           }
         }
       ]
     }
   },
   "problemtype": {
     "problemtype_data": [
       {
         "description": [
           {
             "lang": "eng",
             "value": "CWE-190 Integer Overflow or Wraparound"
           }
         ]
       },
       {
         "description": [
           {
             "lang": "eng",
             "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
           }
         ]
       }
     ]
   },
   "description": {
     "description_data": [
       {
         "value": "The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function.\n\nModules compiled and distributed separately from Apache HTTP Server that use the \"ap_rputs\" function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve\nthe issue.",
         "lang": "eng"
       }
     ]
   },
   "references": {
     "reference_data": [
       {
         "refsource": "CONFIRM",
         "url": "https://httpd.apache.org/security/vulnerabilities_24.html",
         "name": ""
       }
     ]
   },
   "configuration": [],
   "impact": [
     {
       "other": "low"
     }
   ],
   "exploit": [],
   "work_around": [],
   "solution": [],
   "credit": [
     {
       "lang": "eng",
       "value": "The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue"
     }
   ],
   "CNA_private": {
     "owner": "httpd",
     "publish": {
       "ym": "",
       "year": "",
       "month": ""
     },
     "share_with_CVE": true,
     "CVE_table_description": [],
     "CVE_list": [],
     "internal_comments": "",
     "todo": [],
     "emailed": "yes",
     "userslist": "dev@httpd.apache.org",
     "email": ""
   },
   "timeline": [
     {
       "time": "2022-06-08",
       "lang": "eng",
       "value": "released in 2.4.54"
     }
   ]
 }
	{
	"data_type": "CVE",
	"data_format": "MITRE",
	"data_version": "4.0",
	"generator": {
	"engine": "Vulnogram 0.0.9"
	},
	"CVE_data_meta": {
	"ID": "CVE-2022-28614",
	"ASSIGNER": "security@apache.org",
	"DATE_PUBLIC": "",
	"TITLE": "read beyond bounds via ap_rwrite() ",
	"AKA": "",
	"STATE": "PUBLIC"
	},
	"source": {
	"defect": [],
	"advisory": "",
	"discovery": "UNKNOWN"
	},
	"affects": {
	"vendor": {
	"vendor_data": [
	{
	"vendor_name": "Apache Software Foundation",
	"product": {
	"product_data": [
	{
	"product_name": "Apache HTTP Server",
	"version": {
	"version_data": [
	{
	"version_name": "",
	"version_affected": "<=",
	"version_value": "2.4.53",
	"platform": ""
	}
	]
	}
	}
	]
	}
	}
	]
	}
	},
	"problemtype": {
	"problemtype_data": [
	{
	"description": [
	{
	"lang": "eng",
	"value": "CWE-190 Integer Overflow or Wraparound"
	}
	]
	},
	{
	"description": [
	{
	"lang": "eng",
	"value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
	}
	]
	}
	]
	},
	"description": {
	"description_data": [
	{
	"value": "The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function.\n\nModules compiled and distributed separately from Apache HTTP Server that use the \"ap_rputs\" function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve\nthe issue.",
	"lang": "eng"
	}
	]
	},
	"references": {
	"reference_data": [
	{
	"refsource": "CONFIRM",
	"url": "https://httpd.apache.org/security/vulnerabilities_24.html",
	"name": ""
	}
	]
	},
	"configuration": [],
	"impact": [
	{
	"other": "low"
	}
	],
	"exploit": [],
	"work_around": [],
	"solution": [],
	"credit": [
	{
	"lang": "eng",
	"value": "The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue"
	}
	],
	"CNA_private": {
	"owner": "httpd",
	"publish": {
	"ym": "",
	"year": "",
	"month": ""
	},
	"share_with_CVE": true,
	"CVE_table_description": [],
	"CVE_list": [],
	"internal_comments": "",
	"todo": [],
	"emailed": "yes",
	"userslist": "dev@httpd.apache.org",
	"email": ""
	},
	"timeline": [
	{
	"time": "2022-06-08",
	"lang": "eng",
	"value": "released in 2.4.54"
	}
	]
	}