ALT-PU-2022-4735-1
Closed vulnerabilities
Published: 2021-12-20
BDU:2021-06392
Уязвимость HTTP-сервера Apache, связанная с выходом операции за границу буфера в памяти, позволяющая нарушителю выполнить произвольный код
Severity: CRITICAL (10.0)
Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References:
Published: 2021-12-20
BDU:2021-06393
Уязвимость HTTP-сервера Apache, связанная с подделкой запросов на стороне сервера, позволяющая нарушителю провести SSRF-атаку
Severity: HIGH (7.2)
Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
References:
Published: 2022-03-14
BDU:2022-01455
Уязвимость веб-сервера Apache HTTP Server, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код
Severity: CRITICAL (9.8)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2022-03-14
BDU:2022-01456
Уязвимость веб-сервера Apache HTTP Server, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку "контрабанда HTTP-запросов"
Severity: MEDIUM (6.1)
Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2022-03-14
BDU:2022-01457
Уязвимость веб-сервера Apache HTTP Server, связанная с недостатками проверки вводимых данных, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2022-03-14
BDU:2022-01461
Уязвимость веб-сервера Apache HTTP Server, связанная с записью за пределами буфера памяти, позволяющая нарушителю выполнить произвольный код
Severity: CRITICAL (9.8)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2021-12-20
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2021-44224
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
Severity: HIGH (8.2)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
References:
- http://httpd.apache.org/security/vulnerabilities_24.html
- http://httpd.apache.org/security/vulnerabilities_24.html
- 20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina
- 20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina
- 20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6
- 20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6
- 20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4
- 20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4
- [oss-security] 20211220 CVE-2021-44224: Apache HTTP Server: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier
- [oss-security] 20211220 CVE-2021-44224: Apache HTTP Server: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier
- FEDORA-2021-29a536c2ae
- FEDORA-2021-29a536c2ae
- FEDORA-2022-b4103753e9
- FEDORA-2022-b4103753e9
- FEDORA-2022-78e3211c55
- FEDORA-2022-78e3211c55
- FEDORA-2022-21264ec6db
- FEDORA-2022-21264ec6db
- GLSA-202208-20
- GLSA-202208-20
- https://security.netapp.com/advisory/ntap-20211224-0001/
- https://security.netapp.com/advisory/ntap-20211224-0001/
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213257
- https://support.apple.com/kb/HT213257
- DSA-5035
- DSA-5035
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.tenable.com/security/tns-2022-01
- https://www.tenable.com/security/tns-2022-01
- https://www.tenable.com/security/tns-2022-03
- https://www.tenable.com/security/tns-2022-03
Published: 2021-12-20
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2021-44790
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://httpd.apache.org/security/vulnerabilities_24.html
- http://httpd.apache.org/security/vulnerabilities_24.html
- http://packetstormsecurity.com/files/171631/Apache-2.4.x-Buffer-Overflow.html
- http://packetstormsecurity.com/files/171631/Apache-2.4.x-Buffer-Overflow.html
- 20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina
- 20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina
- 20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6
- 20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6
- 20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4
- 20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4
- [oss-security] 20211220 CVE-2021-44790: Apache HTTP Server: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier
- [oss-security] 20211220 CVE-2021-44790: Apache HTTP Server: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier
- FEDORA-2021-29a536c2ae
- FEDORA-2021-29a536c2ae
- FEDORA-2022-b4103753e9
- FEDORA-2022-b4103753e9
- FEDORA-2022-78e3211c55
- FEDORA-2022-78e3211c55
- FEDORA-2022-21264ec6db
- FEDORA-2022-21264ec6db
- GLSA-202208-20
- GLSA-202208-20
- https://security.netapp.com/advisory/ntap-20211224-0001/
- https://security.netapp.com/advisory/ntap-20211224-0001/
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213257
- https://support.apple.com/kb/HT213257
- DSA-5035
- DSA-5035
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.tenable.com/security/tns-2022-01
- https://www.tenable.com/security/tns-2022-01
- https://www.tenable.com/security/tns-2022-03
- https://www.tenable.com/security/tns-2022-03
Published: 2022-03-14
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2022-22719
A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- 20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina
- 20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina
- 20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6
- 20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6
- 20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4
- 20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4
- [oss-security] 20220314 CVE-2022-22719: Apache HTTP Server: mod_lua Use of uninitialized value of in r:parsebody
- [oss-security] 20220314 CVE-2022-22719: Apache HTTP Server: mod_lua Use of uninitialized value of in r:parsebody
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://httpd.apache.org/security/vulnerabilities_24.html
- [debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update
- [debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update
- FEDORA-2022-b4103753e9
- FEDORA-2022-b4103753e9
- FEDORA-2022-78e3211c55
- FEDORA-2022-78e3211c55
- FEDORA-2022-21264ec6db
- FEDORA-2022-21264ec6db
- GLSA-202208-20
- GLSA-202208-20
- https://security.netapp.com/advisory/ntap-20220321-0001/
- https://security.netapp.com/advisory/ntap-20220321-0001/
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213257
- https://support.apple.com/kb/HT213257
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
Published: 2022-03-14
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2022-22720
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- 20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina
- 20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina
- 20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6
- 20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6
- 20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4
- 20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4
- [oss-security] 20220314 CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier
- [oss-security] 20220314 CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://httpd.apache.org/security/vulnerabilities_24.html
- [debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update
- [debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update
- FEDORA-2022-b4103753e9
- FEDORA-2022-b4103753e9
- FEDORA-2022-78e3211c55
- FEDORA-2022-78e3211c55
- FEDORA-2022-21264ec6db
- FEDORA-2022-21264ec6db
- GLSA-202208-20
- GLSA-202208-20
- https://security.netapp.com/advisory/ntap-20220321-0001/
- https://security.netapp.com/advisory/ntap-20220321-0001/
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213257
- https://support.apple.com/kb/HT213257
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Published: 2022-03-14
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2022-22721
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
Severity: CRITICAL (9.1)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
References:
- 20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina
- 20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina
- 20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6
- 20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6
- 20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4
- 20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4
- [oss-security] 20220314 CVE-2022-22721: Apache HTTP Server: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
- [oss-security] 20220314 CVE-2022-22721: Apache HTTP Server: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://httpd.apache.org/security/vulnerabilities_24.html
- [debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update
- [debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update
- FEDORA-2022-b4103753e9
- FEDORA-2022-b4103753e9
- FEDORA-2022-78e3211c55
- FEDORA-2022-78e3211c55
- FEDORA-2022-21264ec6db
- FEDORA-2022-21264ec6db
- GLSA-202208-20
- GLSA-202208-20
- https://security.netapp.com/advisory/ntap-20220321-0001/
- https://security.netapp.com/advisory/ntap-20220321-0001/
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213255
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213256
- https://support.apple.com/kb/HT213257
- https://support.apple.com/kb/HT213257
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
Published: 2022-03-14
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2022-23943
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- [oss-security] 20220314 CVE-2022-23943: Apache HTTP Server: mod_sed: Read/write beyond bounds
- [oss-security] 20220314 CVE-2022-23943: Apache HTTP Server: mod_sed: Read/write beyond bounds
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://httpd.apache.org/security/vulnerabilities_24.html
- [debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update
- [debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update
- FEDORA-2022-b4103753e9
- FEDORA-2022-b4103753e9
- FEDORA-2022-78e3211c55
- FEDORA-2022-78e3211c55
- FEDORA-2022-21264ec6db
- FEDORA-2022-21264ec6db
- GLSA-202208-20
- GLSA-202208-20
- https://security.netapp.com/advisory/ntap-20220321-0001/
- https://security.netapp.com/advisory/ntap-20220321-0001/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.tenable.com/security/tns-2022-08
- https://www.tenable.com/security/tns-2022-08
- https://www.tenable.com/security/tns-2022-09
- https://www.tenable.com/security/tns-2022-09
Closed bugs
Зависит от systemd