CVE-2022-34037

An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Note: This has been disputed as a bug, not a security vulnerability, in the Caddy web server that emerged when an administrator's bad configuration containing a malformed request URI caused the server to return an empty reply instead of a valid HTTP response to the client.

Published: Jul 22, 2022
Updated: May 4, 2024
CVE: CVE-2022-34037
GHSA: GHSA-m7gr-5w5g-36jf
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-125

Affected Software
References

Software	From	Fixed in
caddyserver / caddy	2.5.1	2.5.1.x
github.com/caddyserver/caddy	-	2.5.2

https://github.com/caddyserver/caddy/commit/693e9b5283e675b56084ecc83d73176cab0ee27c
https://github.com/caddyserver/caddy/issues/4775
https://github.com/caddyserver/caddy/issues/4775#issuecomment-1203388116

Vulnerability Database

CVE-2022-34037

Deep Security Visibility Without the Complexity