Out-of-bounds Read in Apache Software Foundation Http Server
CVE-2021-36160
A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).
Vulnerability class: Buffer Overflow
EPSS: 0.629 (99.1th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Http Server — versions Apache HTTP Server 2.4
Weakness classification (CWE)
Public proof-of-concept exploits
References
- httpd.apache.org/security/vulnerabilities_24.html (x_refsource_MISC)
- [httpd-cvs] 20210916 [httpd-site] branch main updated: Revert "Add descriptions for CVE-2021-33193 CVE-2021-36160" (mailing-list, x_refsource_MLIST)
- [httpd-cvs] 20210916 [httpd-site] branch main updated: Add descriptions for CVE-2021-33193 CVE-2021-36160 (mailing-list, x_refsource_MLIST)
- FEDORA-2021-dce7e7738e (vendor-advisory, x_refsource_FEDORA)
- [httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info (mailing-list, x_refsource_MLIST)
- [httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info (mailing-list, x_refsource_MLIST)
- [httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info (mailing-list, x_refsource_MLIST)
- [httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info (mailing-list, x_refsource_MLIST)
- FEDORA-2021-e3f6dd670d (vendor-advisory, x_refsource_FEDORA)
- [debian-lts-announce] 20210929 [SECURITY] [DLA 2768-1] uwsgi security update (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2021-36160?
- CVE-2021-36160 is a vulnerability in Apache Software Foundation Http Server, classified under Out-of-bounds Read. Published 2021-09-16.
- Is CVE-2021-36160 known to be exploited?
- 9 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.