CVE-2021-44790

NameCVE-2021-44790
DescriptionA carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2907-1, DSA-5035-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)buster2.4.38-3+deb10u8fixed
buster (security)2.4.38-3+deb10u10fixed
bullseye2.4.56-1~deb11u2fixed
bullseye (security)2.4.59-1~deb11u1fixed
bookworm2.4.57-2fixed
bookworm (security)2.4.59-1~deb12u1fixed
trixie2.4.58-1fixed
sid2.4.59-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2sourcestretch2.4.25-3+deb9u12DLA-2907-1
apache2sourcebuster2.4.38-3+deb10u7DSA-5035-1
apache2sourcebullseye2.4.52-1~deb11u2DSA-5035-1
apache2source(unstable)2.4.52-1

Notes

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-44790
Fixed by: https://svn.apache.org/r1896039
Search for package or bug name: Reporting problems