CVE-2021-44790

NameCVE-2021-44790
DescriptionA carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-5035-1
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)stretch2.4.25-3+deb9u9vulnerable
stretch (security)2.4.25-3+deb9u11vulnerable
buster2.4.38-3+deb10u5vulnerable
buster (security)2.4.38-3+deb10u7fixed
bullseye2.4.51-1~deb11u1vulnerable
bullseye (security)2.4.52-1~deb11u2fixed
bookworm, sid2.4.52-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2sourcebuster2.4.38-3+deb10u7DSA-5035-1
apache2sourcebullseye2.4.52-1~deb11u2DSA-5035-1
apache2source(unstable)2.4.52-1

Notes

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-44790
Fixed by: https://svn.apache.org/r1896039

Search for package or bug name: Reporting problems