CVE-2021-44790

NameCVE-2021-44790
DescriptionA carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2907-1, DSA-5035-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)buster2.4.38-3+deb10u8fixed
buster (security)2.4.38-3+deb10u7fixed
bullseye2.4.54-1~deb11u1fixed
bullseye (security)2.4.52-1~deb11u2fixed
bookworm, sid2.4.54-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2sourcestretch2.4.25-3+deb9u12DLA-2907-1
apache2sourcebuster2.4.38-3+deb10u7DSA-5035-1
apache2sourcebullseye2.4.52-1~deb11u2DSA-5035-1
apache2source(unstable)2.4.52-1

Notes

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-44790
Fixed by: https://svn.apache.org/r1896039

Search for package or bug name: Reporting problems