CVE-2022-37436
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-37436
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-37436.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-37436
- Aliases
- Downstream
- Related
- Published
- 2023-01-17T20:15:11Z
- Modified
- 2025-10-15T04:34:24Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
- References
Affected packages
Git / github.com/apache/httpd
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/httpd
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"215235632762497873337552732721289754096",
"24505909017487109289197479606645951763",
"269804327028752277585002906226113753410",
"171127058332314757774224674492647339899",
"65855240028427759827871972319349696777",
"9340754287123664822538697156905355422",
"216293499819962008574588226707157373786",
"323355978169316179059084474221525128335",
"43591760228289782509993956618803697681",
"53125307870222428959572614817375255830",
"261909084624349911691869984889513754869",
"198272137957163216222170122070704558740",
"74904678240870008953814580303675819458",
"123541207260161800072819874063242617870",
"326734248603573075650368574199451642281",
"205582104031566062221292578707458606516",
"198239199067460507190924484741689895469",
"70719477052583661258216354032452777122",
"53939109591082090124270838115897448300",
"91670740161215281561085471564041864071",
"162856334054493880295521178248845340263",
"337490544885592502536273587202181198080",
"172483775912233372999978997768213233856",
"224174282606727590881756013650088186714",
"217202974838375302355531037963826914867",
"28748017533023556211354748888733394263",
"4277841005971451158984085932442882499",
"140640609681873750043123795797736427898",
"99598318256675815503519593907001946283",
"273049790432472217814427782104321647164",
"61692784723071770239909248619149278925",
"60433367287638418108431978867558673017",
"267746418242369376390282494228646653921",
"43809435227176682249296597483640255024",
"323358462999696344951077841066046049298",
"15564962399561328802244454166866780192",
"107634073103053393246766003178417209962",
"58757959619964303930385638606816040908",
"49355244407934817589728462656854730306",
"282490145323453168723879749035934363134",
"208440702212378144038842850194405164871",
"57210224878017732633909369306287006052"
]
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-37436-05660306",
"target": {
"file": "modules/http/http_filters.c"
}
},
{
"digest": {
"length": 817.0,
"function_hash": "317385478870669806042512726585119461481"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-37436-0a9eb4c6",
"target": {
"file": "modules/http2/h2_session.c",
"function": "on_header_cb"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"320685819439627446275323624058714373966",
"4437913042755863553551407808748063858",
"133077320917449680930722761406252078968",
"237784192793118199306174258954937554672",
"243150208518384701169532961132329677813",
"91499260228586728611900293866722136930"
]
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-37436-0c1fb191",
"target": {
"file": "modules/aaa/mod_authnz_fcgi.c"
}
},
{
"digest": {
"length": 3337.0,
"function_hash": "10403914399381030884383356182194936670"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-37436-196336ad",
"target": {
"file": "modules/proxy/mod_proxy_uwsgi.c",
"function": "uwsgi_response"
}
},
{
"digest": {
"length": 4885.0,
"function_hash": "234047399897046966211054205048932451251"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-37436-27feeb04",
"target": {
"file": "modules/http/http_filters.c",
"function": "ap_http_header_filter"
}
},
{
"digest": {
"length": 5945.0,
"function_hash": "326980140130183722009141601499901427948"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-37436-2cf21097",
"target": {
"file": "modules/generators/mod_cgid.c",
"function": "cgid_handler"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"255320846131373276944352765426545265657",
"220990201380745810362557138718185665810",
"332800477934699708957315666136130039453",
"57655922081829193086228416368915944333",
"193028552126066479584710170072716384696",
"306847029167979628525192405182568377868",
"13675885661688075835230093045316719764"
]
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-37436-3b7f2208",
"target": {
"file": "modules/proxy/mod_proxy_uwsgi.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"168374910695647289688486986336027226404",
"64545217510032587172024555548488846662",
"213104344809567109064309774807894071690",
"116394038123439761704559243505178021783",
"313724605015954537099389619248346963923",
"94190878219445993330785630949039836908",
"87350873968782306685701709979036519902"
]
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-37436-4f17e17d",
"target": {
"file": "modules/http2/h2_session.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"39255460570977987612852082932540765482",
"265928348890962651258253616968905600978",
"142682412603495225950927651435963585096",
"63919310572970072907645112919669359424",
"42127122994899182142875495923090243150",
"76530711578302820617430419969694344572",
"219953798253321960991850092662421209625",
"327709730529135651963401061714860841535",
"288231411699436656731295737964481440152"
]
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-37436-5a7eadc1",
"target": {
"file": "modules/generators/mod_cgi.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"270927104279576199498567295395435885094",
"99538497914987599632194982831015425878",
"225849934958777710850433424386735925199",
"63919310572970072907645112919669359424",
"42127122994899182142875495923090243150",
"76530711578302820617430419969694344572",
"239185577410194050532728887323712111245",
"181220966904201524953373642973991120755",
"63879406102525981755435869183674645921"
]
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-37436-5b663962",
"target": {
"file": "modules/generators/mod_cgid.c"
}
},
{
"digest": {
"length": 2575.0,
"function_hash": "256478495264024730914017232125310854593"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-37436-5f917adc",
"target": {
"file": "modules/http2/h2_stream.c",
"function": "h2_stream_add_header"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"339476677267130276423914493249125884094",
"308669270261298203112857132228320451958",
"224606176825471129866513366689685250441",
"326113402237659882045697949322997268938"
]
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-37436-7ca1bfc4",
"target": {
"file": "modules/http2/h2_stream.h"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"175045820842121409826107189494858206469",
"108767792118661720425791638978116735151",
"210981060236512801630278497338423517377",
"18294951486760965001664340312534026521",
"24865828267144144333020119014586295296",
"96329296980547709227616994621131089836"
]
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-37436-9269c654",
"target": {
"file": "modules/proxy/mod_proxy_fcgi.c"
}
},
{
"digest": {
"length": 7372.0,
"function_hash": "320331990816208684279333184284307168393"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-37436-9be836e5",
"target": {
"file": "modules/proxy/mod_proxy_fcgi.c",
"function": "dispatch"
}
},
{
"digest": {
"length": 3045.0,
"function_hash": "50293639413245921948773135636073083561"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-37436-a431a949",
"target": {
"file": "modules/proxy/ajp_header.c",
"function": "ajp_unmarshal_response"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"31986517357899008810586075017470213458",
"235573177160137212480150788606694013639",
"51642304104147144344885346025374892929",
"260647560374505275708114096239729237683",
"245168133353169015507657332937978983605",
"227871179673273695688235128490184906034"
]
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-37436-a4367b32",
"target": {
"file": "modules/proxy/mod_proxy_scgi.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"64286343022752665609180683524149872306",
"273775134934647879926267947300242089542",
"159133851767459149216789132194711228088",
"90605436551407912770359445522802665942",
"211545554684484972247114950613261558609",
"51642304104147144344885346025374892929",
"77519612195595135475527502202086168765",
"43426873685167930703356464824653656868",
"248297778276390870710984595476106953617"
]
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-37436-cb8e0105",
"target": {
"file": "modules/proxy/ajp_header.c"
}
},
{
"digest": {
"length": 5572.0,
"function_hash": "316127029547763239834464508092720557982"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-37436-d4164e65",
"target": {
"file": "modules/generators/mod_cgi.c",
"function": "cgi_handler"
}
},
{
"digest": {
"length": 2679.0,
"function_hash": "4431659237598244312012409011089200615"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-37436-d8eb8533",
"target": {
"file": "modules/proxy/mod_proxy_scgi.c",
"function": "pass_response"
}
},
{
"digest": {
"length": 689.0,
"function_hash": "87808410051623952055802105983490861249"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-37436-e4d25c2d",
"target": {
"file": "modules/http/http_filters.c",
"function": "check_headers"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"327871711707556119057536597951744451310",
"58778531813107397474440930036096021924",
"131051163041164275265732397386558810515",
"61859579354514806196525741320043065949"
]
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2022-37436-f5ebf7fe",
"target": {
"file": "modules/http2/h2_stream.c"
}
},
{
"digest": {
"length": 4035.0,
"function_hash": "51382453354798472902155357576054334745"
},
"source": "https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba",
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2022-37436-f9b87028",
"target": {
"file": "modules/aaa/mod_authnz_fcgi.c",
"function": "handle_response"
}
}
]