{"containers": {"cna": {"affected": [{"product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "2.4.46"}, {"status": "affected", "version": "2.4.43"}, {"status": "affected", "version": "2.4.41"}, {"status": "affected", "version": "2.4.39"}, {"status": "affected", "version": "2.4.38"}, {"status": "affected", "version": "2.4.37"}, {"status": "affected", "version": "2.4.35"}, {"status": "affected", "version": "2.4.34"}, {"status": "affected", "version": "2.4.33"}, {"status": "affected", "version": "2.4.29"}, {"status": "affected", "version": "2.4.28"}, {"status": "affected", "version": "2.4.27"}, {"status": "affected", "version": "2.4.26"}, {"status": "affected", "version": "2.4.25"}, {"status": "affected", "version": "2.4.23"}, {"status": "affected", "version": "2.4.20"}, {"status": "affected", "version": "2.4.18"}, {"status": "affected", "version": "2.4.17"}, {"status": "affected", "version": "2.4.16"}, {"status": "affected", "version": "2.4.12"}, {"status": "affected", "version": "2.4.10"}, {"status": "affected", "version": "2.4.9"}, {"status": "affected", "version": "2.4.7"}, {"status": "affected", "version": "2.4.6"}, {"status": "affected", "version": "2.4.4"}, {"status": "affected", "version": "2.4.3"}, {"status": "affected", "version": "2.4.2"}, {"status": "affected", "version": "2.4.1"}, {"status": "affected", "version": "2.4.0"}]}], "credits": [{"lang": "en", "value": "Discovered internally Christophe Jaillet"}], "descriptions": [{"lang": "en", "value": "In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow"}], "metrics": [{"other": {"content": {"other": "low"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-07T14:41:53", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-announce] 20210609 CVE-2021-26691: mod_session response handling heap overflow", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r50cae1b71f1e7421069036b213c26da7d8f47dd59874e3bd956959fe%40%3Cannounce.httpd.apache.org%3E"}, {"name": "[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E"}, {"name": "[oss-security] 20210609 CVE-2021-26691: Apache httpd: mod_session response handling heap overflow", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/06/10/7"}, {"name": "[debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html"}, {"name": "DSA-4937", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4937"}, {"name": "GLSA-202107-38", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202107-38"}, {"name": "FEDORA-2021-dce7e7738e", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"}, {"name": "FEDORA-2021-e3f6dd670d", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210702-0001/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache HTTP Server mod_session response handling heap overflow", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-26691", "STATE": "PUBLIC", "TITLE": "Apache HTTP Server mod_session response handling heap overflow"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache HTTP Server", "version": {"version_data": [{"version_affected": "=", "version_name": "2.4", "version_value": "2.4.46"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.43"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.41"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.39"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.38"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.37"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.35"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.34"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.33"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.29"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.28"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.27"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.26"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.25"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.23"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.20"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.18"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.17"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.16"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.12"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.10"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.9"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.7"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.6"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.4"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.3"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.2"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.1"}, {"version_affected": "=", "version_name": "2.4", "version_value": "2.4.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Discovered internally Christophe Jaillet"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "low"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-122 Heap-based Buffer Overflow"}]}]}, "references": {"reference_data": [{"name": "http://httpd.apache.org/security/vulnerabilities_24.html", "refsource": "MISC", "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"name": "https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-announce] 20210609 CVE-2021-26691: mod_session response handling heap overflow", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r50cae1b71f1e7421069036b213c26da7d8f47dd59874e3bd956959fe@%3Cannounce.httpd.apache.org%3E"}, {"name": "[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd@%3Cdev.httpd.apache.org%3E"}, {"name": "[oss-security] 20210609 CVE-2021-26691: Apache httpd: mod_session response handling heap overflow", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/06/10/7"}, {"name": "[debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html"}, {"name": "DSA-4937", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4937"}, {"name": "GLSA-202107-38", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202107-38"}, {"name": "FEDORA-2021-dce7e7738e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"}, {"name": "FEDORA-2021-e3f6dd670d", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"name": "https://security.netapp.com/advisory/ntap-20210702-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210702-0001/"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:33:40.152Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E"}, {"name": "[httpd-announce] 20210609 CVE-2021-26691: mod_session response handling heap overflow", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r50cae1b71f1e7421069036b213c26da7d8f47dd59874e3bd956959fe%40%3Cannounce.httpd.apache.org%3E"}, {"name": "[httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E"}, {"name": "[oss-security] 20210609 CVE-2021-26691: Apache httpd: mod_session response handling heap overflow", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/06/10/7"}, {"name": "[debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html"}, {"name": "DSA-4937", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4937"}, {"name": "GLSA-202107-38", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202107-38"}, {"name": "FEDORA-2021-dce7e7738e", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"}, {"name": "FEDORA-2021-e3f6dd670d", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210702-0001/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-26691", "datePublished": "2021-06-10T07:10:23", "dateReserved": "2021-02-04T00:00:00", "dateUpdated": "2024-08-03T20:33:40.152Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "8375A8C8-38EB-4F32-97FD-0841D57C1971", "versionEndIncluding": "2.4.46", "versionStartIncluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B095CC03-7077-4A58-AB25-CC5380CDCE5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", "matchCriteriaId": "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*", "matchCriteriaId": "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "matchCriteriaId": "7F69B9A5-F21B-4904-9F27-95C0F7A628E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:secure_backup:*:*:*:*:*:*:*:*", "matchCriteriaId": "C01E8B82-71C7-4A4A-A70A-7B147524AB4A", "versionEndExcluding": "18.1.0.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "matchCriteriaId": "5C2089EE-5D7F-47EC-8EA5-0F69790564C4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow"}, {"lang": "es", "value": "Apache HTTP Server versiones 2.4.0 a 2.4.46 , un par\u00e1metro SessionHeader especialmente dise\u00f1ado enviado por un servidor de origen podr\u00eda causar un desbordamiento de pila"}], "id": "CVE-2021-26691", "lastModified": "2024-11-21T05:56:41.067", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-10T07:15:07.580", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/06/10/7"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r50cae1b71f1e7421069036b213c26da7d8f47dd59874e3bd956959fe%40%3Cannounce.httpd.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Release Notes", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202107-38"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210702-0001/"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4937"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/06/10/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r50cae1b71f1e7421069036b213c26da7d8f47dd59874e3bd956959fe%40%3Cannounce.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111bb5d15cda0a68dd%40%3Cdev.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Release Notes", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202107-38"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210702-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4937"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Christophe Jaillet and the Apache project for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-apr-0:1.6.3-107.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-apr-util-0:1.6.1-84.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-curl-0:7.78.0-2.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-httpd-0:2.4.37-78.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_cluster-native-0:1.3.16-9.Final_redhat_2.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_http2-0:1.15.7-21.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_jk-0:1.2.48-20.redhat_1.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_md-1:2.0.8-40.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_security-0:2.9.2-67.GA.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-nghttp2-0:1.39.2-39.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-openssl-1:1.1.1g-8.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-openssl-chil-0:1.0.0-7.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-openssl-pkcs11-0:0.4.10-22.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-apr-0:1.6.3-107.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-apr-util-0:1.6.1-84.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-curl-0:7.78.0-2.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-httpd-0:2.4.37-78.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_cluster-native-0:1.3.16-9.Final_redhat_2.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_http2-0:1.15.7-21.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_jk-0:1.2.48-20.redhat_1.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_md-1:2.0.8-40.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_security-0:2.9.2-67.GA.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-nghttp2-0:1.39.2-39.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-openssl-1:1.1.1g-8.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-openssl-chil-0:1.0.0-7.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2021:4614", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-openssl-pkcs11-0:0.4.10-22.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2021-11-10T00:00:00Z"}, {"advisory": "RHSA-2022:0143", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "httpd-0:2.4.6-97.el7_9.4", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-01-17T00:00:00Z"}, {"advisory": "RHSA-2021:3816", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "httpd:2.4-8040020211008164252.522a0ee4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-10-12T00:00:00Z"}, {"advisory": "RHSA-2021:4613", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "httpd", "product_name": "Text-Only JBCS", "release_date": "2021-11-10T00:00:00Z"}], "bugzilla": {"description": "httpd: mod_session: Heap overflow via a crafted SessionHeader value", "id": "1966732", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1966732"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-119", "details": ["In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow", "A heap overflow flaw was found In Apache httpd mod_session. The highest threat from this vulnerability is to system availability."], "mitigation": {"lang": "en:us", "value": "Only configurations which use the \"SessionEnv\" directive (which is not widely used) are vulnerable to this flaw. SessionEnv is not enabled in default configuration of httpd package shipped with Red Hat Products."}, "name": "CVE-2021-26691", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "httpd22", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:2", "fix_state": "Out of support scope", "package_name": "httpd22", "product_name": "Red Hat JBoss Enterprise Web Server 2"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "httpd24-httpd", "product_name": "Red Hat Software Collections"}], "public_date": "2021-06-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-26691\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-26691\nhttps://httpd.apache.org/security/vulnerabilities_24.html"], "statement": "This flaw can result in a crash of the httpd child process when mod_session is used.", "threat_severity": "Moderate"}