High
CVE-2022-30556 CVSS:5.3
Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by an error in mod_lua with websockets. An attacker could exploit this vulnerability to return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.
CVE-2022-31813 CVSS:5.3
Apache HTTP Server could allow a remote attacker to bypass security restrictions, caused by the failure to send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. An attacker could exploit this vulnerability to bypass IP based authentication on the origin server/application.
CVE-2022-30522 CVSS:5.3
Apache HTTP Server is vulnerable to a denial of service when configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large. By making excessively large memory allocations, a remote attacker could exploit this vulnerability to trigger an abort.
CVE-2022-28615 CVSS:6.5
Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. An attacker could exploit this vulnerability to crash or disclose information.
CVE-2022-28330 CVSS:5.3
Apache HTTP Server could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to read beyond bounds when configured to process requests with the mod_isapi module.
CVE-2022-28614 CVSS:5.3
Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by an error in the ap_rwrite() function. By reflecting very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function, an attacker could exploit this vulnerability to read unintended memory.
CVE-2022-29404 CVSS:5.3
Apache HTTP Server is vulnerable to a denial of service, caused by no default limit on possible input size. By sending a specially crafted request to a lua script that calls r:parsebody(0), an attacker could exploit this vulnerability to cause a denial of service.
Apache
Upgrade to the latest version of HTTP Server, available from the Apache Website.