{"containers": {"cna": {"affected": [{"product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "2.4.46"}, {"status": "affected", "version": "2.4.43"}, {"status": "affected", "version": "2.4.41"}, {"status": "affected", "version": "2.4.39"}, {"status": "affected", "version": "2.4.38"}, {"status": "affected", "version": "2.4.37"}, {"status": "affected", "version": "2.4.35"}, {"status": "affected", "version": "2.4.34"}, {"status": "affected", "version": "2.4.33"}, {"status": "affected", "version": "2.4.29"}, {"status": "affected", "version": "2.4.28"}, {"status": "affected", "version": "2.4.27"}, {"status": "affected", "version": "2.4.26"}, {"status": "affected", "version": "2.4.25"}, {"status": "affected", "version": "2.4.23"}, {"status": "affected", "version": "2.4.20"}, {"status": "affected", "version": "2.4.18"}, {"status": "affected", "version": "2.4.17"}, {"status": "affected", "version": "2.4.16"}, {"status": "affected", "version": "2.4.12"}, {"status": "affected", "version": "2.4.10"}, {"status": "affected", "version": "2.4.9"}, {"status": "affected", "version": "2.4.7"}, {"status": "affected", "version": "2.4.6"}, {"status": "affected", "version": "2.4.4"}, {"status": "affected", "version": "2.4.3"}, {"status": "affected", "version": "2.4.2"}, {"status": "affected", "version": "2.4.1"}, {"status": "affected", "version": "2.4.0"}]}], "credits": [{"lang": "en", "value": "This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales)"}], "descriptions": [{"lang": "en", "value": "Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service"}], "metrics": [{"other": {"content": {"other": "low"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"description": "mod_session NULL pointer dereference", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-20T10:41:43", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-announce] 20210609 CVE-2021-26690: mod_session NULL pointer dereference", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rae406c1d19c0dfd3103c96923dadac2af1cd0bad6905ab1ede153865%40%3Cannounce.httpd.apache.org%3E"}, {"name": "[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E"}, {"name": "[oss-security] 20210609 CVE-2021-26690: Apache httpd: mod_session NULL pointer dereference", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/06/10/6"}, {"name": "[debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html"}, {"name": "DSA-4937", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4937"}, {"name": "GLSA-202107-38", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202107-38"}, {"name": "FEDORA-2021-dce7e7738e", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"}, {"name": "FEDORA-2021-e3f6dd670d", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210702-0001/"}], "source": {"discovery": "UNKNOWN"}, "title": "mod_session NULL pointer dereference", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-26690", "STATE": "PUBLIC", "TITLE": "mod_session NULL pointer dereference"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache HTTP Server", "version": {"version_data": [{"version_affected": "=", "version_name": "2.4", "version_value": "2.4.46"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.43"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.41"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.39"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.38"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.37"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.35"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.34"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.33"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.29"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.28"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.27"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.26"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.25"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.23"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.20"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.18"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.17"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.16"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.12"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.10"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.9"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.7"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.6"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.4"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.3"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.2"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.1"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "low"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "mod_session NULL pointer dereference"}]}]}, "references": {"reference_data": [{"name": "http://httpd.apache.org/security/vulnerabilities_24.html", "refsource": "MISC", "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"name": "https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-announce] 20210609 CVE-2021-26690: mod_session NULL pointer dereference", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rae406c1d19c0dfd3103c96923dadac2af1cd0bad6905ab1ede153865@%3Cannounce.httpd.apache.org%3E"}, {"name": "[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd@%3Cdev.httpd.apache.org%3E"}, {"name": "[oss-security] 20210609 CVE-2021-26690: Apache httpd: mod_session NULL pointer dereference", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/06/10/6"}, {"name": "[debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html"}, {"name": "DSA-4937", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4937"}, {"name": "GLSA-202107-38", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202107-38"}, {"name": "FEDORA-2021-dce7e7738e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"}, {"name": "FEDORA-2021-e3f6dd670d", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"name": "https://security.netapp.com/advisory/ntap-20210702-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210702-0001/"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:33:40.192Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-announce] 20210609 CVE-2021-26690: mod_session NULL pointer dereference", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rae406c1d19c0dfd3103c96923dadac2af1cd0bad6905ab1ede153865%40%3Cannounce.httpd.apache.org%3E"}, {"name": "[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E"}, {"name": "[oss-security] 20210609 CVE-2021-26690: Apache httpd: mod_session NULL pointer dereference", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/06/10/6"}, {"name": "[debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html"}, {"name": "DSA-4937", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4937"}, {"name": "GLSA-202107-38", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202107-38"}, {"name": "FEDORA-2021-dce7e7738e", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"}, {"name": "FEDORA-2021-e3f6dd670d", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210702-0001/"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-26690", "datePublished": "2021-06-10T07:10:22", "dateReserved": "2021-02-04T00:00:00", "dateUpdated": "2024-08-03T20:33:40.192Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "8375A8C8-38EB-4F32-97FD-0841D57C1971", "versionEndIncluding": "2.4.46", "versionStartIncluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B095CC03-7077-4A58-AB25-CC5380CDCE5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", "matchCriteriaId": "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*", "matchCriteriaId": "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "matchCriteriaId": "7F69B9A5-F21B-4904-9F27-95C0F7A628E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service"}, {"lang": "es", "value": "Apache HTTP Server versiones 2.4.0 a 2.4.46, un encabezado de Cookie especialmente dise\u00f1ado y gestionado por la funci\u00f3n mod_session puede causar una desviaci\u00f3n del puntero NULL y un fallo, lo que puede causar una denegaci\u00f3n de servicio"}], "id": "CVE-2021-26690", "lastModified": "2023-11-07T03:31:47.720", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-10T07:15:07.543", "references": [{"source": "security@apache.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/06/10/6"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rae406c1d19c0dfd3103c96923dadac2af1cd0bad6905ab1ede153865%40%3Cannounce.httpd.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202107-38"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210702-0001/"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4937"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Antonio Morales (GHSL) and the Apache project for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-apr-0:1.6.3-107.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-apr-util-0:1.6.1-84.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-curl-0:7.78.0-2.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-httpd-0:2.4.37-78.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_cluster-native-0:1.3.16-9.Final_redhat_2.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_http2-0:1.15.7-21.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_jk-0:1.2.48-20.redhat_1.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_md-1:2.0.8-40.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_security-0:2.9.2-67.GA.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-nghttp2-0:1.39.2-39.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-openssl-1:1.1.1g-8.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-openssl-chil-0:1.0.0-7.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-openssl-pkcs11-0:0.4.10-22.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-apr-0:1.6.3-107.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-apr-util-0:1.6.1-84.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-curl-0:7.78.0-2.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-httpd-0:2.4.37-78.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_cluster-native-0:1.3.16-9.Final_redhat_2.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_http2-0:1.15.7-21.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_jk-0:1.2.48-20.redhat_1.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_md-1:2.0.8-40.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_security-0:2.9.2-67.GA.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-nghttp2-0:1.39.2-39.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-openssl-1:1.1.1g-8.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-openssl-chil-0:1.0.0-7.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-openssl-pkcs11-0:0.4.10-22.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4257", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "httpd:2.4-8050020210712211742.b4937e53", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4613", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "httpd", "product_name": "Red Hat JBoss Core Services 1", "release_date": "2021-11-10T00:00:00Z"}], "bugzilla": {"description": "httpd: mod_session: NULL pointer dereference when parsing Cookie header", "id": "1966729", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1966729"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-476", "details": ["Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service", "A NULL pointer dereference was found in Apache httpd mod_session. The highest threat from this vulnerability is to system availability."], "mitigation": {"lang": "en:us", "value": "Only configurations which use the \"SessionEnv\" directive (which is not widely used) are vulnerable to this flaw. SessionEnv is not enabled in default configuration of httpd package shipped with Red Hat Products."}, "name": "CVE-2021-26690", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "httpd22", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:2", "fix_state": "Out of support scope", "package_name": "httpd22", "product_name": "Red Hat JBoss Enterprise Web Server 2"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "httpd24-httpd", "product_name": "Red Hat Software Collections"}], "public_date": "2021-06-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-26690\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-26690\nhttps://httpd.apache.org/security/vulnerabilities_24.html"], "statement": "This is a null pointer deference caused when using mod_session. It can result in crash of httpd child process by a remote attacker.", "threat_severity": "Moderate", "upstream_fix": "httpd 2.4.47"}