CVE-2021-44790

CRITICAL

Apache HTTP Server < 2.4.52 - Out-of-Bounds Write

Title source: rule

Description

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Sunil Iyengar · pythonwebappsmultiple

https://www.exploit-db.com/exploits/51193

View Code ZIP pw:eip

nomisec WORKING POC 4 stars

by nuPacaChi · poc

https://github.com/nuPacaChi/-CVE-2021-44790

View Code ZIP pw:eip

References (20)

[Vendor Advisory] http://httpd.apache.org/security/vulnerabilities_24.html

[Exploit] http://packetstormsecurity.com/files/171631/Apache-2.4.x-Buffer-Overflow.html

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2022/May/33

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2022/May/35

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2022/May/38

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2021/12/20/4

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFSWOH4X77CV7AH7C4RMHUBDWKQDL4YH/

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGWILBORT67SHMSLYSQZG2NMXGCMPUZO/

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X73C35MMMZGBVPQQCH7LQZUMYZNQA5FO/

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7H26WJ6TPKNWV3QKY4BHKUKQVUTZJTD/

[Third Party Advisory] https://security.gentoo.org/glsa/202208-20

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20211224-0001/

[Third Party Advisory] https://support.apple.com/kb/HT213255

[Third Party Advisory] https://support.apple.com/kb/HT213256

[Third Party Advisory] https://support.apple.com/kb/HT213257

[Third Party Advisory] https://www.debian.org/security/2022/dsa-5035

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Third Party Advisory] https://www.tenable.com/security/tns-2022-01

[Third Party Advisory] https://www.tenable.com/security/tns-2022-03

Scores

CVSS v3 9.8

EPSS 0.8601

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-787

Status published

Products (22)

apache/http_server < 2.4.52

apple/macos < 10.15.7

apple/mac_os_x 10.15.7 security_update_2020-001 (12 CPE variants)

debian/debian_linux 10.0

debian/debian_linux 11.0

fedoraproject/fedora 34

fedoraproject/fedora 35

fedoraproject/fedora 36

netapp/cloud_backup

oracle/communications_element_manager < 9.0

... and 12 more

Published Dec 20, 2021

Tracked Since Feb 18, 2026