9.8

CVE-2021-44790

Exploit

Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheHTTP Server Version < 2.4.52
FedoraprojectFedora Version34
FedoraprojectFedora Version35
FedoraprojectFedora Version36
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
TenableTenable.Sc Version >= 5.16.0 < 5.20.0
NetappCloud Backup Version-
OracleHTTP Server Version12.2.1.3.0
OracleHTTP Server Version12.2.1.4.0
ApplemacOS X Version10.15.7 Updatesecurity_update_2020-001
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-001
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-002
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-003
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-004
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-005
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-006
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-007
ApplemacOS X Version10.15.7 Updatesecurity_update_2021-008
ApplemacOS X Version10.15.7 Updatesecurity_update_2022-001
ApplemacOS X Version10.15.7 Updatesecurity_update_2022-002
ApplemacOS X Version10.15.7 Updatesecurity_update_2022-003
ApplemacOS Version < 10.15.7
ApplemacOS Version >= 11.0 < 11.6.6
ApplemacOS Version >= 12.0 < 12.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 97.11% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

http://httpd.apache.org/security/vulnerabilities_24.html
Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html
Patch
Third Party Advisory
https://security.gentoo.org/glsa/202208-20
Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/35
Third Party Advisory
Mailing List
https://support.apple.com/kb/HT213256
Third Party Advisory
http://seclists.org/fulldisclosure/2022/May/33
Third Party Advisory
Mailing List
http://seclists.org/fulldisclosure/2022/May/38
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFSWOH4X77CV7AH7C4RMHUBDWKQDL4YH/
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20211224-0001/
Third Party Advisory
https://support.apple.com/kb/HT213255
Third Party Advisory
https://support.apple.com/kb/HT213257
Third Party Advisory
https://www.debian.org/security/2022/dsa-5035
Third Party Advisory
https://www.tenable.com/security/tns-2022-01
Third Party Advisory
https://www.tenable.com/security/tns-2022-03
Third Party Advisory
http://packetstormsecurity.com/files/171631/Apache-2.4.x-Buffer-Overflow.html
Exploit
http://www.openwall.com/lists/oss-security/2021/12/20/4
Third Party Advisory
Mailing List