Vulnerability in Apache Software Foundation Http Server
CVE-2021-30641
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
EPSS: 0.518 (98.8th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Http Server — versions 2.4.46, 2.4.43, 2.4.41
Public proof-of-concept exploits
References
- httpd.apache.org/security/vulnerabilities_24.html (x_refsource_MISC)
- lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cb… (x_refsource_MISC)
- [httpd-announce] 20210609 CVE-2021-30641: Unexpected URL matching with 'MergeSlashes OFF' (mailing-list, x_refsource_MLIST)
- [httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json (mailing-list, x_refsource_MLIST)
- [oss-security] 20210609 CVE-2021-30641: Apache httpd: Unexpected URL matching with 'MergeSlashes OFF' (mailing-list, x_refsource_MLIST)
- [debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update (mailing-list, x_refsource_MLIST)
- DSA-4937 (vendor-advisory, x_refsource_DEBIAN)
- GLSA-202107-38 (vendor-advisory, x_refsource_GENTOO)
- FEDORA-2021-dce7e7738e (vendor-advisory, x_refsource_FEDORA)
- FEDORA-2021-e3f6dd670d (vendor-advisory, x_refsource_FEDORA)
Frequently asked questions
- What is CVE-2021-30641?
- CVE-2021-30641 is a vulnerability in Apache Software Foundation Http Server. Published 2021-06-10.
- Is CVE-2021-30641 known to be exploited?
- 14 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.