CVE-2022-36760
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-36760
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-36760.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-36760
- Aliases
- Downstream
- Related
- Published
- 2023-01-17T20:15:11Z
- Modified
- 2025-10-15T04:36:25Z
- Severity
-
- 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in modproxyajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
- References
Affected packages
Git / github.com/apache/httpd
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"id": "CVE-2022-36760-05660306",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "modules/http/http_filters.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"threshold": 0.9,
"line_hashes": [
"215235632762497873337552732721289754096",
"24505909017487109289197479606645951763",
"269804327028752277585002906226113753410",
"171127058332314757774224674492647339899",
"65855240028427759827871972319349696777",
"9340754287123664822538697156905355422",
"216293499819962008574588226707157373786",
"323355978169316179059084474221525128335",
"43591760228289782509993956618803697681",
"53125307870222428959572614817375255830",
"261909084624349911691869984889513754869",
"198272137957163216222170122070704558740",
"74904678240870008953814580303675819458",
"123541207260161800072819874063242617870",
"326734248603573075650368574199451642281",
"205582104031566062221292578707458606516",
"198239199067460507190924484741689895469",
"70719477052583661258216354032452777122",
"53939109591082090124270838115897448300",
"91670740161215281561085471564041864071",
"162856334054493880295521178248845340263",
"337490544885592502536273587202181198080",
"172483775912233372999978997768213233856",
"224174282606727590881756013650088186714",
"217202974838375302355531037963826914867",
"28748017533023556211354748888733394263",
"4277841005971451158984085932442882499",
"140640609681873750043123795797736427898",
"99598318256675815503519593907001946283",
"273049790432472217814427782104321647164",
"61692784723071770239909248619149278925",
"60433367287638418108431978867558673017",
"267746418242369376390282494228646653921",
"43809435227176682249296597483640255024",
"323358462999696344951077841066046049298",
"15564962399561328802244454166866780192",
"107634073103053393246766003178417209962",
"58757959619964303930385638606816040908",
"49355244407934817589728462656854730306",
"282490145323453168723879749035934363134",
"208440702212378144038842850194405164871",
"57210224878017732633909369306287006052"
]
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-0a9eb4c6",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "on_header_cb",
"file": "modules/http2/h2_session.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"function_hash": "317385478870669806042512726585119461481",
"length": 817.0
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-0c1fb191",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "modules/aaa/mod_authnz_fcgi.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"threshold": 0.9,
"line_hashes": [
"320685819439627446275323624058714373966",
"4437913042755863553551407808748063858",
"133077320917449680930722761406252078968",
"237784192793118199306174258954937554672",
"243150208518384701169532961132329677813",
"91499260228586728611900293866722136930"
]
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-196336ad",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "uwsgi_response",
"file": "modules/proxy/mod_proxy_uwsgi.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"function_hash": "10403914399381030884383356182194936670",
"length": 3337.0
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-27feeb04",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "ap_http_header_filter",
"file": "modules/http/http_filters.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"function_hash": "234047399897046966211054205048932451251",
"length": 4885.0
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-2cf21097",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "cgid_handler",
"file": "modules/generators/mod_cgid.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"function_hash": "326980140130183722009141601499901427948",
"length": 5945.0
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-3b7f2208",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "modules/proxy/mod_proxy_uwsgi.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"threshold": 0.9,
"line_hashes": [
"255320846131373276944352765426545265657",
"220990201380745810362557138718185665810",
"332800477934699708957315666136130039453",
"57655922081829193086228416368915944333",
"193028552126066479584710170072716384696",
"306847029167979628525192405182568377868",
"13675885661688075835230093045316719764"
]
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-4f17e17d",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "modules/http2/h2_session.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"threshold": 0.9,
"line_hashes": [
"168374910695647289688486986336027226404",
"64545217510032587172024555548488846662",
"213104344809567109064309774807894071690",
"116394038123439761704559243505178021783",
"313724605015954537099389619248346963923",
"94190878219445993330785630949039836908",
"87350873968782306685701709979036519902"
]
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-5a7eadc1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "modules/generators/mod_cgi.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"threshold": 0.9,
"line_hashes": [
"39255460570977987612852082932540765482",
"265928348890962651258253616968905600978",
"142682412603495225950927651435963585096",
"63919310572970072907645112919669359424",
"42127122994899182142875495923090243150",
"76530711578302820617430419969694344572",
"219953798253321960991850092662421209625",
"327709730529135651963401061714860841535",
"288231411699436656731295737964481440152"
]
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-5b663962",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "modules/generators/mod_cgid.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"threshold": 0.9,
"line_hashes": [
"270927104279576199498567295395435885094",
"99538497914987599632194982831015425878",
"225849934958777710850433424386735925199",
"63919310572970072907645112919669359424",
"42127122994899182142875495923090243150",
"76530711578302820617430419969694344572",
"239185577410194050532728887323712111245",
"181220966904201524953373642973991120755",
"63879406102525981755435869183674645921"
]
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-5f917adc",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "h2_stream_add_header",
"file": "modules/http2/h2_stream.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"function_hash": "256478495264024730914017232125310854593",
"length": 2575.0
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-7ca1bfc4",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "modules/http2/h2_stream.h"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"threshold": 0.9,
"line_hashes": [
"339476677267130276423914493249125884094",
"308669270261298203112857132228320451958",
"224606176825471129866513366689685250441",
"326113402237659882045697949322997268938"
]
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-9269c654",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "modules/proxy/mod_proxy_fcgi.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"threshold": 0.9,
"line_hashes": [
"175045820842121409826107189494858206469",
"108767792118661720425791638978116735151",
"210981060236512801630278497338423517377",
"18294951486760965001664340312534026521",
"24865828267144144333020119014586295296",
"96329296980547709227616994621131089836"
]
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-9be836e5",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "dispatch",
"file": "modules/proxy/mod_proxy_fcgi.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"function_hash": "320331990816208684279333184284307168393",
"length": 7372.0
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-a431a949",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "ajp_unmarshal_response",
"file": "modules/proxy/ajp_header.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"function_hash": "50293639413245921948773135636073083561",
"length": 3045.0
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-a4367b32",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "modules/proxy/mod_proxy_scgi.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"threshold": 0.9,
"line_hashes": [
"31986517357899008810586075017470213458",
"235573177160137212480150788606694013639",
"51642304104147144344885346025374892929",
"260647560374505275708114096239729237683",
"245168133353169015507657332937978983605",
"227871179673273695688235128490184906034"
]
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-cb8e0105",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "modules/proxy/ajp_header.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"threshold": 0.9,
"line_hashes": [
"64286343022752665609180683524149872306",
"273775134934647879926267947300242089542",
"159133851767459149216789132194711228088",
"90605436551407912770359445522802665942",
"211545554684484972247114950613261558609",
"51642304104147144344885346025374892929",
"77519612195595135475527502202086168765",
"43426873685167930703356464824653656868",
"248297778276390870710984595476106953617"
]
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-d4164e65",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "cgi_handler",
"file": "modules/generators/mod_cgi.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"function_hash": "316127029547763239834464508092720557982",
"length": 5572.0
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-d8eb8533",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "pass_response",
"file": "modules/proxy/mod_proxy_scgi.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"function_hash": "4431659237598244312012409011089200615",
"length": 2679.0
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-e4d25c2d",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "check_headers",
"file": "modules/http/http_filters.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"function_hash": "87808410051623952055802105983490861249",
"length": 689.0
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-f5ebf7fe",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "modules/http2/h2_stream.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"threshold": 0.9,
"line_hashes": [
"327871711707556119057536597951744451310",
"58778531813107397474440930036096021924",
"131051163041164275265732397386558810515",
"61859579354514806196525741320043065949"
]
}
},
{
"signature_version": "v1",
"id": "CVE-2022-36760-f9b87028",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "handle_response",
"file": "modules/aaa/mod_authnz_fcgi.c"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"digest": {
"function_hash": "51382453354798472902155357576054334745",
"length": 4035.0
}
}
]