Your submission was sent successfully! Close

CVE-2021-44790

Published: 20 December 2021

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

Notes

AuthorNote
mdeslaur
Fixed by r1896039 in 2.4.x
sbeattie
mod_lua is not runtime enabled with Apache's package config
in Ubuntu by default.
Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
bionic
Released (2.4.29-1ubuntu4.21)
focal
Released (2.4.41-4ubuntu3.9)
hirsute
Released (2.4.46-4ubuntu1.5)
impish
Released (2.4.48-3.1ubuntu3.2)
jammy
Released (2.4.52-1ubuntu1)
trusty
Released (2.4.7-1ubuntu4.22+esm3)
upstream
Released (2.4.52)
xenial
Released (2.4.18-2ubuntu3.17+esm4)
Patches:
upstream: https://svn.apache.org/viewvc?view=revision&revision=1896039
upstream: https://github.com/apache/httpd/commit/07b9768cef6a224d256358c404c6ed5622d8acce