Buffer overflow in Apache Software Foundation Http Server
CVE-2021-44790
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craf…
Vulnerability class: Buffer Overflow
EPSS: 0.862 (99.4th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Http Server — versions Apache HTTP Server 2.4
Weakness classification (CWE)
Public proof-of-concept exploits
References
- httpd.apache.org/security/vulnerabilities_24.html
- [oss-security] 20211220 CVE-2021-44790: Apache HTTP Server: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (mailing-list)
- FEDORA-2021-29a536c2ae (vendor-advisory)
- DSA-5035 (vendor-advisory)
- www.oracle.com/security-alerts/cpujan2022.html
- security.netapp.com/advisory/ntap-20211224-0001/
- www.tenable.com/security/tns-2022-01
- www.tenable.com/security/tns-2022-03
- FEDORA-2022-b4103753e9 (vendor-advisory)
- FEDORA-2022-21264ec6db (vendor-advisory)
Frequently asked questions
- What is CVE-2021-44790?
- CVE-2021-44790 is a vulnerability in Apache Software Foundation Http Server, classified under Out-of-bounds Write. Published 2021-12-20.
- Is CVE-2021-44790 known to be exploited?
- 24 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.