{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-44790", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2024-08-04T04:32:13.543Z", "dateReserved": "2021-12-10T00:00:00.000Z", "datePublished": "2021-12-20T00:00:00.000Z"}, "containers": {"cna": {"title": "Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-04-03T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier."}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache HTTP Server", "versions": [{"version": "Apache HTTP Server 2.4", "status": "affected", "lessThanOrEqual": "2.4.51", "versionType": "custom"}]}], "references": [{"url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"name": "[oss-security] 20211220 CVE-2021-44790: Apache HTTP Server: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2021/12/20/4"}, {"name": "FEDORA-2021-29a536c2ae", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFSWOH4X77CV7AH7C4RMHUBDWKQDL4YH/"}, {"name": "DSA-5035", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5035"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"url": "https://security.netapp.com/advisory/ntap-20211224-0001/"}, {"url": "https://www.tenable.com/security/tns-2022-01"}, {"url": "https://www.tenable.com/security/tns-2022-03"}, {"name": "FEDORA-2022-b4103753e9", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"}, {"name": "FEDORA-2022-21264ec6db", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"}, {"name": "FEDORA-2022-78e3211c55", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"url": "https://support.apple.com/kb/HT213257"}, {"url": "https://support.apple.com/kb/HT213256"}, {"url": "https://support.apple.com/kb/HT213255"}, {"name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2022/May/33"}, {"name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2022/May/35"}, {"name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2022/May/38"}, {"name": "GLSA-202208-20", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202208-20"}, {"url": "http://packetstormsecurity.com/files/171631/Apache-2.4.x-Buffer-Overflow.html"}], "credits": [{"lang": "en", "value": "Chamal"}, {"lang": "en", "value": "Anonymous working with Trend Micro Zero Day Initiative"}], "metrics": [{"other": {"type": "unknown", "content": {"other": "high"}}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-787 Out-of-bounds Write", "cweId": "CWE-787"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2021-12-07T00:00:00.000Z", "value": "Reported to security team"}, {"lang": "en", "time": "2021-12-16T00:00:00.000Z", "value": "Fixed by r1896039 in 2.4.x"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:32:13.543Z"}, "title": "CVE Program Container", "references": [{"url": "http://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["x_transferred"]}, {"name": "[oss-security] 20211220 CVE-2021-44790: Apache HTTP Server: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/12/20/4"}, {"name": "FEDORA-2021-29a536c2ae", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFSWOH4X77CV7AH7C4RMHUBDWKQDL4YH/"}, {"name": "DSA-5035", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5035"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20211224-0001/", "tags": ["x_transferred"]}, {"url": "https://www.tenable.com/security/tns-2022-01", "tags": ["x_transferred"]}, {"url": "https://www.tenable.com/security/tns-2022-03", "tags": ["x_transferred"]}, {"name": "FEDORA-2022-b4103753e9", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"}, {"name": "FEDORA-2022-21264ec6db", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"}, {"name": "FEDORA-2022-78e3211c55", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT213257", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT213256", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT213255", "tags": ["x_transferred"]}, {"name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina", "tags": ["mailing-list", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2022/May/33"}, {"name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6", "tags": ["mailing-list", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2022/May/35"}, {"name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4", "tags": ["mailing-list", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2022/May/38"}, {"name": "GLSA-202208-20", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-20"}, {"url": "http://packetstormsecurity.com/files/171631/Apache-2.4.x-Buffer-Overflow.html", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "03FD29A5-886E-4561-97D0-2267DA27A47D", "versionEndExcluding": "2.4.52", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A939B08-CFD8-44D6-B06A-71819E7EFF21", "versionEndExcluding": "5.20.0", "versionStartIncluding": "5.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "matchCriteriaId": "5C2089EE-5D7F-47EC-8EA5-0F69790564C4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "F2AD8797-A70D-4FC7-8A7B-1EF9F43AB4DF", "versionEndIncluding": "9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*", "matchCriteriaId": "CBE1A019-7BB6-4226-8AC4-9D6927ADAEFA", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*", "matchCriteriaId": "B98BAEB2-A540-4E8A-A946-C4331B913AFD", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "B8FBE260-E306-4215-80C0-D2D27CA43E0F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "676F28B8-F780-4441-8062-53E1D69200DF", "versionEndIncluding": "9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D164570-BB85-4090-B3C6-2CAB324BDAD6", "versionEndIncluding": "9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DFC79B17-E9D2-44D5-93ED-2F959E7A3D43", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "AD04BEE5-E9A8-4584-A68C-0195CE9C402C", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", "matchCriteriaId": "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*", "matchCriteriaId": "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", "matchCriteriaId": "7F69B9A5-F21B-4904-9F27-95C0F7A628E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*", "matchCriteriaId": "F1F4BF7F-90D4-4668-B4E6-B06F4070F448", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*", "matchCriteriaId": "0F441A43-1669-478D-9EC8-E96882DE4F9F", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-002:*:*:*:*:*:*", "matchCriteriaId": "D425C653-37A2-448C-BF2F-B684ADB08A26", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-003:*:*:*:*:*:*", "matchCriteriaId": "A54D63B7-B92B-47C3-B1C5-9892E5873A98", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-004:*:*:*:*:*:*", "matchCriteriaId": "3456176F-9185-4EE2-A8CE-3D989D674AB7", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-005:*:*:*:*:*:*", "matchCriteriaId": "D337EE21-2F00-484D-9285-F2B0248D7A19", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-006:*:*:*:*:*:*", "matchCriteriaId": "012052B5-9AA7-4FD3-9C80-5F615330039D", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-007:*:*:*:*:*:*", "matchCriteriaId": "50F21A3C-0AC3-48C5-A4F8-5A7B478875B4", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-008:*:*:*:*:*:*", "matchCriteriaId": "8E974DC6-F7D9-4389-9AF9-863F6E419CE6", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-001:*:*:*:*:*:*", "matchCriteriaId": "156A6382-2BD3-4882-90B2-8E7CF6659E17", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-002:*:*:*:*:*:*", "matchCriteriaId": "20A2FDB2-6712-406A-9896-C0B44508B07D", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-003:*:*:*:*:*:*", "matchCriteriaId": "49F537A0-DC42-4176-B22F-C80D179DD99D", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "3BD2A211-4E62-40BF-9BA0-5239FA6F0AF8", "versionEndExcluding": "10.15.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "09A6345C-D813-43BA-B12E-789C80653F86", "versionEndExcluding": "11.6.6", "versionStartIncluding": "11.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "35154201-43EA-4C22-B0BA-D1A24C46D320", "versionEndExcluding": "12.4", "versionStartIncluding": "12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier."}, {"lang": "es", "value": "Un cuerpo de petici\u00f3n cuidadosamente dise\u00f1ado puede causar un desbordamiento de b\u00fafer en el analizador multiparte mod_lua (r:parsebody() llamado desde scripts Lua). El equipo de Apache httpd no presenta constancia de que se presente una explotaci\u00f3n para esta vulnerabilidad, aunque podr\u00eda ser posible dise\u00f1ar uno. Este problema afecta a Apache HTTP Server versiones 2.4.51 y anteriores"}], "id": "CVE-2021-44790", "lastModified": "2025-05-01T15:38:06.313", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-20T12:15:07.440", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "security@apache.org", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/171631/Apache-2.4.x-Buffer-Overflow.html"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/May/33"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/May/35"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/May/38"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/12/20/4"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFSWOH4X77CV7AH7C4RMHUBDWKQDL4YH/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-20"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211224-0001/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT213255"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT213256"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT213257"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5035"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.tenable.com/security/tns-2022-01"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.tenable.com/security/tns-2022-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://packetstormsecurity.com/files/171631/Apache-2.4.x-Buffer-Overflow.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/May/33"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/May/35"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/May/38"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/12/20/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFSWOH4X77CV7AH7C4RMHUBDWKQDL4YH/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-20"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211224-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT213255"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT213256"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT213257"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5035"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.tenable.com/security/tns-2022-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.tenable.com/security/tns-2022-03"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security@apache.org", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:0143", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "httpd-0:2.4.6-97.el7_9.4", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-01-17T00:00:00Z"}, {"advisory": "RHSA-2022:1139", "cpe": "cpe:/o:redhat:rhel_aus:7.3", "package": "httpd-0:2.4.6-45.el7_3.8", "product_name": "Red Hat Enterprise Linux 7.3 Advanced Update Support", "release_date": "2022-04-01T00:00:00Z"}, {"advisory": "RHSA-2022:1138", "cpe": "cpe:/o:redhat:rhel_aus:7.4", "package": "httpd-0:2.4.6-67.el7_4.9", "product_name": "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date": "2022-04-01T00:00:00Z"}, {"advisory": "RHSA-2022:1136", "cpe": "cpe:/o:redhat:rhel_aus:7.6", "package": "httpd-0:2.4.6-89.el7_6.4", "product_name": "Red Hat Enterprise Linux 7.6 Advanced Update Support(Disable again in 2026 - SPRHEL-7118)", "release_date": "2022-04-01T00:00:00Z"}, {"advisory": "RHSA-2022:1136", "cpe": "cpe:/o:redhat:rhel_tus:7.6", "package": "httpd-0:2.4.6-89.el7_6.4", "product_name": "Red Hat Enterprise Linux 7.6 Telco Extended Update Support", "release_date": "2022-04-01T00:00:00Z"}, {"advisory": "RHSA-2022:1136", "cpe": "cpe:/o:redhat:rhel_e4s:7.6", "package": "httpd-0:2.4.6-89.el7_6.4", "product_name": "Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions", "release_date": "2022-04-01T00:00:00Z"}, {"advisory": "RHSA-2022:1137", "cpe": "cpe:/o:redhat:rhel_aus:7.7", "package": "httpd-0:2.4.6-90.el7_7.3", "product_name": "Red Hat Enterprise Linux 7.7 Advanced Update Support", "release_date": "2022-04-01T00:00:00Z"}, {"advisory": "RHSA-2022:1137", "cpe": "cpe:/o:redhat:rhel_tus:7.7", "package": "httpd-0:2.4.6-90.el7_7.3", "product_name": "Red Hat Enterprise Linux 7.7 Telco Extended Update Support", "release_date": "2022-04-01T00:00:00Z"}, {"advisory": "RHSA-2022:1137", "cpe": "cpe:/o:redhat:rhel_e4s:7.7", "package": "httpd-0:2.4.6-90.el7_7.3", "product_name": "Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions", "release_date": "2022-04-01T00:00:00Z"}, {"advisory": "RHSA-2022:0258", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "httpd:2.4-8050020220111011611.c5368500", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-01-25T00:00:00Z"}, {"advisory": "RHSA-2022:0288", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "httpd:2.4-8010020220111012130.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-01-26T00:00:00Z"}, {"advisory": "RHSA-2022:0258", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "httpd:2.4-8020020220111012020.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-01-25T00:00:00Z"}, {"advisory": "RHSA-2022:0258", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "httpd:2.4-8040020220111011738.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-01-25T00:00:00Z"}, {"advisory": "RHSA-2022:0303", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "httpd24-httpd-0:2.4.34-23.el7.1", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2022-01-27T00:00:00Z"}], "bugzilla": {"description": "httpd: mod_lua: Possible buffer overflow when parsing multipart content", "id": "2034674", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2034674"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "(CWE-400|CWE-787)", "details": ["A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.", "A buffer overflow flaw in httpd's lua module could allow an out-of-bounds write. An attacker who is able to submit a crafted request to an httpd instance that is using the lua module may be able to cause an impact to confidentiality, integrity, and/or availability."], "mitigation": {"lang": "en:us", "value": "Disabling mod_lua and restarting httpd will mitigate this flaw. See https://access.redhat.com/articles/10649 for more information."}, "name": "CVE-2021-44790", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Not affected", "package_name": "jbcs-httpd24-httpd", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "httpd", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}], "public_date": "2021-12-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-44790\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44790\nhttp://httpd.apache.org/security/vulnerabilities_24.html"], "statement": "httpd as shipped in Red Hat Enterprise Linux 6 is NOT affected by this flaw because it does not ship mod_lua.", "threat_severity": "Important"}

{}