CVE-2021-44790 Information
Share on:Description
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Reference
http://httpd.apache.org/security/vulnerabilities_24.html http://www.openwall.com/lists/oss-security/2021/12/20/4 https://lists.fedoraproject.org/archives/list/[email protected]/message/BFSWOH4X77CV7AH7C4RMHUBDWKQDL4YH/ https://security.netapp.com/advisory/ntap-20211224-0001/ https://www.debian.org/security/2022/dsa-5035 https://www.tenable.com/security/tns-2022-01 https://www.tenable.com/security/tns-2022-03 https://www.oracle.com/security-alerts/cpujan2022.html https://lists.fedoraproject.org/archives/list/[email protected]/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/ https://lists.fedoraproject.org/archives/list/[email protected]/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/ https://lists.fedoraproject.org/archives/list/[email protected]/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/ https://www.oracle.com/security-alerts/cpuapr2022.html https://support.apple.com/kb/HT213255 https://support.apple.com/kb/HT213256 https://support.apple.com/kb/HT213257 http://seclists.org/fulldisclosure/2022/May/38 http://seclists.org/fulldisclosure/2022/May/33 http://seclists.org/fulldisclosure/2022/May/35
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
9.8