Attack surface and prerequisites

The attacker determines the exact version of HTTPD.

Known as "Apache Killer," this flaw in protocol.c allowed attackers to bypass "HttpOnly" cookie protections using malformed headers.

The release of 2.2.22 specifically addressed these issues found in prior versions: