CVE-2021-26691: httpd: mod_session: Heap overflow via a crafted SessionHeader value
CVE-2021-39275: httpd: Out-of-bounds write in ap_escape_quotes() via malicious input
CVE-2021-44790: httpd: mod_lua: Possible buffer overflow when parsing multipart content
Score:
cve_id status cvss2Score av ac au ai
CVE-2021-26691 fixed 7.5 N L N P
CVE-2021-39275 fixed 7.5 N L N P
CVE-2021-44790 fixed 7.5 N L N P
Description:
CVE-2021-26691: In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
CVE-2021-39275: ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.
CVE-2021-44790: A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
References:
• https://nvd.nist.gov/vuln/detail/CVE-2021-26691
• https://access.redhat.com/security/cve/cve-2021-26691
• https://nvd.nist.gov/vuln/detail/CVE-2021-39275
• https://access.redhat.com/security/cve/cve-2021-39275
• https://nvd.nist.gov/vuln/detail/CVE-2021-44790
• https://access.redhat.com/security/cve/cve-2021-44790
• https://access.redhat.com/errata/RHSA-2022:0143
• The 3 CVEs are fixed by CentOS per this announcement: https://lists.centos.org/pipermail/centos-announce/2022-January/073551.html
Required Package Versions:
httpd-2.4.6-97.el7_9.4.x86_64.rpm
Packages:
httpd
Found during January 2022 CVE scan using vulscan
Screening: Marking as medium priority as this CVE meets the StarlingX fix criteria. Should be fixed in stx master and considered for cherry-pick to stx.6.0 if a maintenance release is planned