VulnerableCode Package Details - pkg:alpm/archlinux/apache@2.4.49-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-ffpe-1ctd-77e9 Aliases: CVE-2021-41773	A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.	2.4.50-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-hj5r-jms3-x3fe Aliases: CVE-2021-41524	While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.	2.4.50-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-ffpe-1ctd-77e9
Aliases:
CVE-2021-41773

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

2.4.50-1
Affected by 1 other vulnerability.

VCID-hj5r-jms3-x3fe
Aliases:
CVE-2021-41524

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.

2.4.50-1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-9u53-b79b-cfgd	Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.	CVE-2021-34798
VCID-db6k-j9mj-e7hy	A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.	CVE-2021-33193
VCID-mtg7-8556-kbgd	A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.	CVE-2021-40438
VCID-rdtq-8ng5-53fn	A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).	CVE-2021-36160
VCID-wrw6-uzz4-rkfb	ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.	CVE-2021-39275

Vulnerability

Summary

Aliases

VCID-9u53-b79b-cfgd

Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVE-2021-34798

VCID-db6k-j9mj-e7hy

A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

CVE-2021-33193

VCID-mtg7-8556-kbgd

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVE-2021-40438

VCID-rdtq-8ng5-53fn

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

CVE-2021-36160

VCID-wrw6-uzz4-rkfb

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVE-2021-39275

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T18:25:20.837692+00:00	Arch Linux Importer	Fixing	VCID-db6k-j9mj-e7hy	https://security.archlinux.org/AVG-2289	38.0.0
2026-04-01T18:25:20.815755+00:00	Arch Linux Importer	Fixing	VCID-9u53-b79b-cfgd	https://security.archlinux.org/AVG-2289	38.0.0
2026-04-01T18:25:20.791242+00:00	Arch Linux Importer	Fixing	VCID-rdtq-8ng5-53fn	https://security.archlinux.org/AVG-2289	38.0.0
2026-04-01T18:25:20.768759+00:00	Arch Linux Importer	Fixing	VCID-wrw6-uzz4-rkfb	https://security.archlinux.org/AVG-2289	38.0.0
2026-04-01T18:25:20.745857+00:00	Arch Linux Importer	Fixing	VCID-mtg7-8556-kbgd	https://security.archlinux.org/AVG-2289	38.0.0
2026-04-01T18:25:18.652915+00:00	Arch Linux Importer	Affected by	VCID-hj5r-jms3-x3fe	https://security.archlinux.org/AVG-2442	38.0.0
2026-04-01T18:25:18.627140+00:00	Arch Linux Importer	Affected by	VCID-ffpe-1ctd-77e9	https://security.archlinux.org/AVG-2442	38.0.0