{"id":"CVE-2022-36760","summary":"Apache HTTP Server: mod_proxy_ajp Possible request smuggling","details":"Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to.  This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.","aliases":["BIT-apache-2022-36760"],"modified":"2026-05-19T03:53:27.900373Z","published":"2023-01-17T19:11:55.106Z","related":["ALSA-2023:0852","ALSA-2023:0970","SUSE-SU-2023:0183-1","SUSE-SU-2023:0185-1","SUSE-SU-2023:0294-1","SUSE-SU-2023:0321-1","SUSE-SU-2023:0322-1","openSUSE-SU-2024:12635-1"],"database_specific":{"cwe_ids":["CWE-444"],"cna_assigner":"apache","unresolved_ranges":[{"extracted_events":[{"introduced":"2.4"},{"last_affected":"2.4.54"}],"source":"AFFECTED_FIELD"}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36760.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36760.json"},{"type":"ADVISORY","url":"https://httpd.apache.org/security/vulnerabilities_24.html"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36760"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202309-01"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/httpd","events":[{"introduced":"da5873e80d6eee7a0838793bf68f1d0254745fbb"},{"fixed":"8201e867f1d4cdf61840625c6c4be901e3f1b6ba"}],"database_specific":{"extracted_events":[{"introduced":"2.4.0"},{"fixed":"2.4.55"}],"cpe":"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"database_specific":{"vanir_signatures_modified":"2026-05-19T03:53:27Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-36760.json","vanir_signatures":[{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2022-36760-05660306","digest":{"threshold":0.9,"line_hashes":["215235632762497873337552732721289754096","24505909017487109289197479606645951763","269804327028752277585002906226113753410","171127058332314757774224674492647339899","65855240028427759827871972319349696777","9340754287123664822538697156905355422","216293499819962008574588226707157373786","323355978169316179059084474221525128335","43591760228289782509993956618803697681","53125307870222428959572614817375255830","261909084624349911691869984889513754869","198272137957163216222170122070704558740","74904678240870008953814580303675819458","123541207260161800072819874063242617870","326734248603573075650368574199451642281","205582104031566062221292578707458606516","198239199067460507190924484741689895469","70719477052583661258216354032452777122","53939109591082090124270838115897448300","91670740161215281561085471564041864071","162856334054493880295521178248845340263","337490544885592502536273587202181198080","172483775912233372999978997768213233856","224174282606727590881756013650088186714","217202974838375302355531037963826914867","28748017533023556211354748888733394263","4277841005971451158984085932442882499","140640609681873750043123795797736427898","99598318256675815503519593907001946283","273049790432472217814427782104321647164","61692784723071770239909248619149278925","60433367287638418108431978867558673017","267746418242369376390282494228646653921","43809435227176682249296597483640255024","323358462999696344951077841066046049298","15564962399561328802244454166866780192","107634073103053393246766003178417209962","58757959619964303930385638606816040908","49355244407934817589728462656854730306","282490145323453168723879749035934363134","208440702212378144038842850194405164871","57210224878017732633909369306287006052"]},"target":{"file":"modules/http/http_filters.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2022-36760-0a9eb4c6","digest":{"function_hash":"317385478870669806042512726585119461481","length":817},"target":{"function":"on_header_cb","file":"modules/http2/h2_session.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2022-36760-0c1fb191","digest":{"threshold":0.9,"line_hashes":["320685819439627446275323624058714373966","4437913042755863553551407808748063858","133077320917449680930722761406252078968","237784192793118199306174258954937554672","243150208518384701169532961132329677813","91499260228586728611900293866722136930"]},"target":{"file":"modules/aaa/mod_authnz_fcgi.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2022-36760-196336ad","digest":{"function_hash":"10403914399381030884383356182194936670","length":3337},"target":{"function":"uwsgi_response","file":"modules/proxy/mod_proxy_uwsgi.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2022-36760-27feeb04","digest":{"function_hash":"234047399897046966211054205048932451251","length":4885},"target":{"function":"ap_http_header_filter","file":"modules/http/http_filters.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2022-36760-2cf21097","digest":{"function_hash":"326980140130183722009141601499901427948","length":5945},"target":{"function":"cgid_handler","file":"modules/generators/mod_cgid.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2022-36760-3b7f2208","digest":{"threshold":0.9,"line_hashes":["255320846131373276944352765426545265657","220990201380745810362557138718185665810","332800477934699708957315666136130039453","57655922081829193086228416368915944333","193028552126066479584710170072716384696","306847029167979628525192405182568377868","13675885661688075835230093045316719764"]},"target":{"file":"modules/proxy/mod_proxy_uwsgi.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2022-36760-4f17e17d","digest":{"threshold":0.9,"line_hashes":["168374910695647289688486986336027226404","64545217510032587172024555548488846662","213104344809567109064309774807894071690","116394038123439761704559243505178021783","313724605015954537099389619248346963923","94190878219445993330785630949039836908","87350873968782306685701709979036519902"]},"target":{"file":"modules/http2/h2_session.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2022-36760-5a7eadc1","digest":{"threshold":0.9,"line_hashes":["39255460570977987612852082932540765482","265928348890962651258253616968905600978","142682412603495225950927651435963585096","63919310572970072907645112919669359424","42127122994899182142875495923090243150","76530711578302820617430419969694344572","219953798253321960991850092662421209625","327709730529135651963401061714860841535","288231411699436656731295737964481440152"]},"target":{"file":"modules/generators/mod_cgi.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2022-36760-5b663962","digest":{"threshold":0.9,"line_hashes":["270927104279576199498567295395435885094","99538497914987599632194982831015425878","225849934958777710850433424386735925199","63919310572970072907645112919669359424","42127122994899182142875495923090243150","76530711578302820617430419969694344572","239185577410194050532728887323712111245","181220966904201524953373642973991120755","63879406102525981755435869183674645921"]},"target":{"file":"modules/generators/mod_cgid.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2022-36760-5f917adc","digest":{"function_hash":"256478495264024730914017232125310854593","length":2575},"target":{"function":"h2_stream_add_header","file":"modules/http2/h2_stream.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2022-36760-7ca1bfc4","digest":{"threshold":0.9,"line_hashes":["339476677267130276423914493249125884094","308669270261298203112857132228320451958","224606176825471129866513366689685250441","326113402237659882045697949322997268938"]},"target":{"file":"modules/http2/h2_stream.h"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2022-36760-9269c654","digest":{"threshold":0.9,"line_hashes":["175045820842121409826107189494858206469","108767792118661720425791638978116735151","210981060236512801630278497338423517377","18294951486760965001664340312534026521","24865828267144144333020119014586295296","96329296980547709227616994621131089836"]},"target":{"file":"modules/proxy/mod_proxy_fcgi.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2022-36760-9be836e5","digest":{"function_hash":"320331990816208684279333184284307168393","length":7372},"target":{"function":"dispatch","file":"modules/proxy/mod_proxy_fcgi.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2022-36760-a431a949","digest":{"function_hash":"50293639413245921948773135636073083561","length":3045},"target":{"function":"ajp_unmarshal_response","file":"modules/proxy/ajp_header.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2022-36760-a4367b32","digest":{"threshold":0.9,"line_hashes":["31986517357899008810586075017470213458","235573177160137212480150788606694013639","51642304104147144344885346025374892929","260647560374505275708114096239729237683","245168133353169015507657332937978983605","227871179673273695688235128490184906034"]},"target":{"file":"modules/proxy/mod_proxy_scgi.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2022-36760-cb8e0105","digest":{"threshold":0.9,"line_hashes":["64286343022752665609180683524149872306","273775134934647879926267947300242089542","159133851767459149216789132194711228088","90605436551407912770359445522802665942","211545554684484972247114950613261558609","51642304104147144344885346025374892929","77519612195595135475527502202086168765","43426873685167930703356464824653656868","248297778276390870710984595476106953617"]},"target":{"file":"modules/proxy/ajp_header.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2022-36760-d4164e65","digest":{"function_hash":"316127029547763239834464508092720557982","length":5572},"target":{"function":"cgi_handler","file":"modules/generators/mod_cgi.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2022-36760-d8eb8533","digest":{"function_hash":"4431659237598244312012409011089200615","length":2679},"target":{"function":"pass_response","file":"modules/proxy/mod_proxy_scgi.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2022-36760-e4d25c2d","digest":{"function_hash":"87808410051623952055802105983490861249","length":689},"target":{"function":"check_headers","file":"modules/http/http_filters.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2022-36760-f5ebf7fe","digest":{"threshold":0.9,"line_hashes":["327871711707556119057536597951744451310","58778531813107397474440930036096021924","131051163041164275265732397386558810515","61859579354514806196525741320043065949"]},"target":{"file":"modules/http2/h2_stream.c"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2022-36760-f9b87028","digest":{"function_hash":"51382453354798472902155357576054334745","length":4035},"target":{"function":"handle_response","file":"modules/aaa/mod_authnz_fcgi.c"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}