{"id":"CVE-2022-37436","summary":"Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting","details":"Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.","aliases":["BIT-apache-2022-37436"],"modified":"2026-05-19T03:53:32.266308Z","published":"2023-01-17T19:12:59.968Z","related":["ALSA-2023:0852","ALSA-2023:0970","SUSE-SU-2023:0183-1","SUSE-SU-2023:0185-1","SUSE-SU-2023:0294-1","SUSE-SU-2023:0321-1","SUSE-SU-2023:0322-1","openSUSE-SU-2024:12635-1"],"database_specific":{"cna_assigner":"apache","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"fixed":"2.4.55"}]}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/37xxx/CVE-2022-37436.json","cwe_ids":["CWE-113"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/37xxx/CVE-2022-37436.json"},{"type":"ADVISORY","url":"https://httpd.apache.org/security/vulnerabilities_24.html"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37436"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202309-01"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/httpd","events":[{"introduced":"0"},{"fixed":"8201e867f1d4cdf61840625c6c4be901e3f1b6ba"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"2.4.55"}],"cpe":"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*"}}],"versions":["2.4.55-rc1-candidate"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-37436.json","vanir_signatures_modified":"2026-05-19T03:53:32Z","vanir_signatures":[{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"file":"modules/http/http_filters.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2022-37436-05660306","digest":{"threshold":0.9,"line_hashes":["215235632762497873337552732721289754096","24505909017487109289197479606645951763","269804327028752277585002906226113753410","171127058332314757774224674492647339899","65855240028427759827871972319349696777","9340754287123664822538697156905355422","216293499819962008574588226707157373786","323355978169316179059084474221525128335","43591760228289782509993956618803697681","53125307870222428959572614817375255830","261909084624349911691869984889513754869","198272137957163216222170122070704558740","74904678240870008953814580303675819458","123541207260161800072819874063242617870","326734248603573075650368574199451642281","205582104031566062221292578707458606516","198239199067460507190924484741689895469","70719477052583661258216354032452777122","53939109591082090124270838115897448300","91670740161215281561085471564041864071","162856334054493880295521178248845340263","337490544885592502536273587202181198080","172483775912233372999978997768213233856","224174282606727590881756013650088186714","217202974838375302355531037963826914867","28748017533023556211354748888733394263","4277841005971451158984085932442882499","140640609681873750043123795797736427898","99598318256675815503519593907001946283","273049790432472217814427782104321647164","61692784723071770239909248619149278925","60433367287638418108431978867558673017","267746418242369376390282494228646653921","43809435227176682249296597483640255024","323358462999696344951077841066046049298","15564962399561328802244454166866780192","107634073103053393246766003178417209962","58757959619964303930385638606816040908","49355244407934817589728462656854730306","282490145323453168723879749035934363134","208440702212378144038842850194405164871","57210224878017732633909369306287006052"]}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"function":"on_header_cb","file":"modules/http2/h2_session.c"},"signature_type":"Function","signature_version":"v1","id":"CVE-2022-37436-0a9eb4c6","digest":{"length":817,"function_hash":"317385478870669806042512726585119461481"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"file":"modules/aaa/mod_authnz_fcgi.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2022-37436-0c1fb191","digest":{"threshold":0.9,"line_hashes":["320685819439627446275323624058714373966","4437913042755863553551407808748063858","133077320917449680930722761406252078968","237784192793118199306174258954937554672","243150208518384701169532961132329677813","91499260228586728611900293866722136930"]}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"function":"uwsgi_response","file":"modules/proxy/mod_proxy_uwsgi.c"},"signature_type":"Function","signature_version":"v1","id":"CVE-2022-37436-196336ad","digest":{"length":3337,"function_hash":"10403914399381030884383356182194936670"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"function":"ap_http_header_filter","file":"modules/http/http_filters.c"},"signature_type":"Function","signature_version":"v1","id":"CVE-2022-37436-27feeb04","digest":{"length":4885,"function_hash":"234047399897046966211054205048932451251"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"function":"cgid_handler","file":"modules/generators/mod_cgid.c"},"signature_type":"Function","signature_version":"v1","id":"CVE-2022-37436-2cf21097","digest":{"length":5945,"function_hash":"326980140130183722009141601499901427948"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"file":"modules/proxy/mod_proxy_uwsgi.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2022-37436-3b7f2208","digest":{"threshold":0.9,"line_hashes":["255320846131373276944352765426545265657","220990201380745810362557138718185665810","332800477934699708957315666136130039453","57655922081829193086228416368915944333","193028552126066479584710170072716384696","306847029167979628525192405182568377868","13675885661688075835230093045316719764"]}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"file":"modules/http2/h2_session.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2022-37436-4f17e17d","digest":{"threshold":0.9,"line_hashes":["168374910695647289688486986336027226404","64545217510032587172024555548488846662","213104344809567109064309774807894071690","116394038123439761704559243505178021783","313724605015954537099389619248346963923","94190878219445993330785630949039836908","87350873968782306685701709979036519902"]}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"file":"modules/generators/mod_cgi.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2022-37436-5a7eadc1","digest":{"threshold":0.9,"line_hashes":["39255460570977987612852082932540765482","265928348890962651258253616968905600978","142682412603495225950927651435963585096","63919310572970072907645112919669359424","42127122994899182142875495923090243150","76530711578302820617430419969694344572","219953798253321960991850092662421209625","327709730529135651963401061714860841535","288231411699436656731295737964481440152"]}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"file":"modules/generators/mod_cgid.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2022-37436-5b663962","digest":{"threshold":0.9,"line_hashes":["270927104279576199498567295395435885094","99538497914987599632194982831015425878","225849934958777710850433424386735925199","63919310572970072907645112919669359424","42127122994899182142875495923090243150","76530711578302820617430419969694344572","239185577410194050532728887323712111245","181220966904201524953373642973991120755","63879406102525981755435869183674645921"]}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"function":"h2_stream_add_header","file":"modules/http2/h2_stream.c"},"signature_type":"Function","signature_version":"v1","id":"CVE-2022-37436-5f917adc","digest":{"length":2575,"function_hash":"256478495264024730914017232125310854593"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"file":"modules/http2/h2_stream.h"},"signature_type":"Line","signature_version":"v1","id":"CVE-2022-37436-7ca1bfc4","digest":{"threshold":0.9,"line_hashes":["339476677267130276423914493249125884094","308669270261298203112857132228320451958","224606176825471129866513366689685250441","326113402237659882045697949322997268938"]}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"file":"modules/proxy/mod_proxy_fcgi.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2022-37436-9269c654","digest":{"threshold":0.9,"line_hashes":["175045820842121409826107189494858206469","108767792118661720425791638978116735151","210981060236512801630278497338423517377","18294951486760965001664340312534026521","24865828267144144333020119014586295296","96329296980547709227616994621131089836"]}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"function":"dispatch","file":"modules/proxy/mod_proxy_fcgi.c"},"signature_type":"Function","signature_version":"v1","id":"CVE-2022-37436-9be836e5","digest":{"length":7372,"function_hash":"320331990816208684279333184284307168393"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"function":"ajp_unmarshal_response","file":"modules/proxy/ajp_header.c"},"signature_type":"Function","signature_version":"v1","id":"CVE-2022-37436-a431a949","digest":{"length":3045,"function_hash":"50293639413245921948773135636073083561"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"file":"modules/proxy/mod_proxy_scgi.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2022-37436-a4367b32","digest":{"threshold":0.9,"line_hashes":["31986517357899008810586075017470213458","235573177160137212480150788606694013639","51642304104147144344885346025374892929","260647560374505275708114096239729237683","245168133353169015507657332937978983605","227871179673273695688235128490184906034"]}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"file":"modules/proxy/ajp_header.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2022-37436-cb8e0105","digest":{"threshold":0.9,"line_hashes":["64286343022752665609180683524149872306","273775134934647879926267947300242089542","159133851767459149216789132194711228088","90605436551407912770359445522802665942","211545554684484972247114950613261558609","51642304104147144344885346025374892929","77519612195595135475527502202086168765","43426873685167930703356464824653656868","248297778276390870710984595476106953617"]}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"function":"cgi_handler","file":"modules/generators/mod_cgi.c"},"signature_type":"Function","signature_version":"v1","id":"CVE-2022-37436-d4164e65","digest":{"length":5572,"function_hash":"316127029547763239834464508092720557982"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"function":"pass_response","file":"modules/proxy/mod_proxy_scgi.c"},"signature_type":"Function","signature_version":"v1","id":"CVE-2022-37436-d8eb8533","digest":{"length":2679,"function_hash":"4431659237598244312012409011089200615"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"function":"check_headers","file":"modules/http/http_filters.c"},"signature_type":"Function","signature_version":"v1","id":"CVE-2022-37436-e4d25c2d","digest":{"length":689,"function_hash":"87808410051623952055802105983490861249"}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"file":"modules/http2/h2_stream.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2022-37436-f5ebf7fe","digest":{"threshold":0.9,"line_hashes":["327871711707556119057536597951744451310","58778531813107397474440930036096021924","131051163041164275265732397386558810515","61859579354514806196525741320043065949"]}},{"source":"https://github.com/apache/httpd/commit/8201e867f1d4cdf61840625c6c4be901e3f1b6ba","deprecated":false,"target":{"function":"handle_response","file":"modules/aaa/mod_authnz_fcgi.c"},"signature_type":"Function","signature_version":"v1","id":"CVE-2022-37436-f9b87028","digest":{"length":4035,"function_hash":"51382453354798472902155357576054334745"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}