CVE-2021-44790

Updated: 2023-11-07 19:48:52.674796

Description:

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x HIGH 7.5
CVSS Version 3.x CRITICAL 9.8

Status

OS name Project name Version Score Severity Status Errata Last updated
CentOS 6 ELS httpd 2.2.15 9.8 CRITICAL Not Vulnerable 2022-04-19 21:49:50
CentOS 7 ELS httpd 2.4.6 9.8 CRITICAL Already Fixed 2023-09-19 09:30:25
CentOS 8.4 ELS httpd 2.4.37 9.8 CRITICAL Released CLSA-2022:1643822315 2022-04-19 21:49:50
CentOS 8.5 ELS httpd 2.4.37 9.8 CRITICAL Released CLSA-2022:1643914331 2022-04-19 21:49:50
CloudLinux 6 ELS httpd 2.2.15 9.8 CRITICAL Not Vulnerable 2022-04-19 21:49:50
Oracle Linux 6 ELS httpd 2.2.15 9.8 CRITICAL Not Vulnerable 2022-04-19 21:49:50
Ubuntu 16.04 ELS apache2 2.4.18 9.8 CRITICAL Released CLSA-2021:1640697114 2022-04-19 21:49:45
Ubuntu 18.04 ELS apache2 2.4.29 9.8 CRITICAL Already Fixed 2023-04-28 08:48:56

Statement

Lua module doesn’t exist in our httpd version for CentOS 6 ELS, Oraclelinux 6 ELS, Cloudlinux 6. Accroding to https://httpd.apache.org/docs/trunk/mod/mod_lua.html - Apache HTTP Server Version 2.5 it had been added only in apache 2.3.