CVE-2022-29404 In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script may cause a denial of service due to no default limit on possible input size.

CVE-2022-29404 In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script may cause a denial of service due to no default limit on possible input size.

A possible workaround for this issue is to add the following code to the bottom of the script to limit the size of incoming POST variables: require "post" post = Post.new(request) if post.params.size > 10 # limit the size of POST variables end
This issue has been addressed in Apache HTTP Server 2.4.54 and later. A malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.This issue has been addressed in Apache HTTP Server 2.4.54 and later. CVE-2018-9800: An issue has been identified in the mod_status module that allows a remote attacker to cause a denial of service. This issue occurs because mod_status does not handle requests with User-Agent strings that contain a string that is not a supported User-Agent string. This may lead to an Apache process crash. A possible workaround for this issue is to add the following code to the bottom of the script to limit the size of incoming POST variables:require "post" post = Post.new(request) if post.params.size > 10 # limit the size of POST variables end This issue has been addressed in Apache HTTP Server 2.4.54 and later. A malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.This issue has

HTTP/2 and lua API changes

There are certain changes in the HTTP/2 protocol and the lua API that may cause a memory leak. These changes have been addressed in Apache HTTP Server 2.4.54 and later.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe