All errata/c9f2/ALT-PU-2021-3635-1
ALT-PU-2021-3635-1

Package update apache2 in branch c9f2

Version2.4.52-alt1
Task#292418
Published2021-12-27
Max severityCRITICAL
Severity:

Closed issues (4)

BDU:2021-06392
CRITICAL10.0

Уязвимость HTTP-сервера Apache, связанная с выходом операции за границу буфера в памяти, позволяющая нарушителю выполнить произвольный код

Published: 2021-12-28Modified: 2025-08-19
CVSS 3.xCRITICAL 10.0
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2021-06393
HIGH7.2

Уязвимость HTTP-сервера Apache, связанная с подделкой запросов на стороне сервера, позволяющая нарушителю провести SSRF-атаку

Published: 2021-12-28Modified: 2025-08-19
CVSS 3.xHIGH 7.2
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N
References
CVE-2021-44224
HIGH8.2

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).

Published: 2021-12-20Modified: 2024-11-21
CVSS 2.0MEDIUM 6.4
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:P
CVSS 3.xHIGH 8.2
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
References
CVE-2021-44790
CRITICAL9.8

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

Published: 2021-12-20Modified: 2025-05-01
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References

Closed bugs (1)