Login Sign Up

CVE-2022-23943

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2022-23943 is a critical heap memory corruption vulnerability in Apache HTTP Server's mod_sed module that allows attackers to write data beyond allocated memory boundaries. This can lead to remote code execution, denial of service, or information disclosure. Affected systems are Apache HTTP Server versions 2.4.52 and earlier with mod_sed enabled.

💻 Affected Systems

Products:
  • Apache HTTP Server
Versions: 2.4.0 through 2.4.52
Operating Systems: All operating systems running affected Apache versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if mod_sed module is enabled and loaded. mod_sed is not enabled by default in standard Apache installations.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Http Server by Apache

View all CVEs affecting Http Server →

Http Server by Oracle

View all CVEs affecting Http Server →

Http Server by Oracle

View all CVEs affecting Http Server →

Zfs Storage Appliance Kit by Oracle

View all CVEs affecting Zfs Storage Appliance Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains full control of the web server, executes arbitrary code with web server privileges, and potentially compromises the entire host system.

🟠

Likely Case

Remote code execution leading to web server compromise, data theft, or installation of malware/backdoors on affected systems.

🟢

If Mitigated

Denial of service causing web server crashes or instability if exploit attempts fail or are partially successful.

🌐 Internet-Facing: HIGH - Apache HTTP Server is commonly internet-facing, and the vulnerability requires no authentication, making it easily exploitable from anywhere.
🏢 Internal Only: MEDIUM - Still significant risk for internal systems, but attack surface is limited to internal network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept exploit code is publicly available. The vulnerability is easily exploitable with publicly available tools and requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache HTTP Server 2.4.53 and later

Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html

Restart Required: Yes

Instructions:

1. Download Apache HTTP Server 2.4.53 or later from https://httpd.apache.org/download.cgi
2. Stop the Apache service: 'systemctl stop apache2' or 'apachectl stop'
3. Backup configuration files
4. Install the new version following your OS package manager or compilation instructions
5. Restart Apache: 'systemctl start apache2' or 'apachectl start'

🔧 Temporary Workarounds

Disable mod_sed module

all

Remove or comment out mod_sed module loading to eliminate the vulnerable component

# Edit httpd.conf or apache2.conf
# Comment out: LoadModule sed_module modules/mod_sed.so
# Or remove the line entirely
# Then restart Apache: systemctl restart apache2

🧯 If You Can't Patch

  • Disable mod_sed module immediately if not required for functionality
  • Implement network segmentation and restrict access to Apache servers to only trusted sources

🔍 How to Verify

Check if Vulnerable:

Check Apache version with 'httpd -v' or 'apache2 -v' and verify mod_sed is loaded with 'httpd -M | grep sed' or 'apache2ctl -M | grep sed'

Check Version:

httpd -v 2>/dev/null || apache2 -v 2>/dev/null || echo 'Apache not found'

Verify Fix Applied:

Confirm version is 2.4.53 or higher with 'httpd -v' and verify mod_sed is either disabled or the new version is running

📡 Detection & Monitoring

Log Indicators:

  • Multiple 500 Internal Server Error responses
  • Apache process crashes or restarts
  • Unusual mod_sed related errors in error_log

Network Indicators:

  • Unusual HTTP requests targeting mod_sed functionality
  • Exploit pattern detection in web traffic

SIEM Query:

source="apache_access" AND (status=500 OR uri CONTAINS "sed" OR user_agent CONTAINS exploit)

📊 Metadata

CVE ID: CVE-2022-23943
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: March 14, 2022
Last Updated: May 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23943, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)