VDB

ALPINE-CVE-2022-28614

ALPINE-CVE-2022-28614 PUBLISHED CVSS 5.300000190734863 MEDIUM

The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue.

Risk Scores

CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products

VendorProductVersions
Alpine:v3.19apache22.4.27-r1, 2.4.27-r0, 2.4.26-r0
Alpine:v3.17apache22.4.12-r3, 2.4.38-r0, 2.4.43-r0
Alpine:v3.13apache20, 2.2.16-r1, 2.2.16-r2
Alpine:v3.16apache22.4.37-r1, 2.4.38-r1, 2.4.38-r2
Alpine:v3.22apache22.2.16-r3, 2.4.17-r0, 2.4.17-r2
Alpine:v3.20apache20, 2.2.16-r0, 2.2.16-r1
Alpine:v3.18apache22.4.4-r1, 2.4.41-r0, 2.4.43-r0
Alpine:v3.21apache22.2.21-r3, 0, 2.2.16-r1
Alpine:v3.23apache22.4.27-r0, 2.4.17-r1, 2.4.17-r2
Alpine:v3.14apache22.2.16-r0, 2.4.9-r0, 2.4.7-r0
Alpine:v3.15apache22.4.6-r1, 0, 2.2.16-r0

Timeline

  • Jun 9, 2022 CVE Published
  • Dec 3, 2025 CVE Updated
  • Apr 30, 2026 Distribution Patch
Open in Interactive Console →
$ Console Community · 100/wk Open console ›