Updated: 2023-11-07 19:48:52.674796
Description:
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | HIGH | 7.5 |
CVSS Version 3.x | CRITICAL | 9.8 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated |
---|---|---|---|---|---|---|---|
CentOS 6 ELS | httpd | 2.2.15 | 9.8 | CRITICAL | Not Vulnerable | 2022-04-19 21:49:50 | |
CentOS 7 ELS | httpd | 2.4.6 | 9.8 | CRITICAL | Already Fixed | 2023-09-19 09:30:25 | |
CentOS 8.4 ELS | httpd | 2.4.37 | 9.8 | CRITICAL | Released | CLSA-2022:1643822315 | 2022-04-19 21:49:50 |
CentOS 8.5 ELS | httpd | 2.4.37 | 9.8 | CRITICAL | Released | CLSA-2022:1643914331 | 2022-04-19 21:49:50 |
CloudLinux 6 ELS | httpd | 2.2.15 | 9.8 | CRITICAL | Not Vulnerable | 2022-04-19 21:49:50 | |
Oracle Linux 6 ELS | httpd | 2.2.15 | 9.8 | CRITICAL | Not Vulnerable | 2022-04-19 21:49:50 | |
Ubuntu 16.04 ELS | apache2 | 2.4.18 | 9.8 | CRITICAL | Released | CLSA-2021:1640697114 | 2022-04-19 21:49:45 |
Ubuntu 18.04 ELS | apache2 | 2.4.29 | 9.8 | CRITICAL | Already Fixed | 2023-04-28 08:48:56 |
Lua module doesn’t exist in our httpd version for CentOS 6 ELS, Oraclelinux 6 ELS, Cloudlinux 6. Accroding to https://httpd.apache.org/docs/trunk/mod/mod_lua.html - Apache HTTP Server Version 2.5 it had been added only in apache 2.3.