VulnerableCode Package Details - pkg:alpm/archlinux/apache@2.4.49-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-3cav-6ztc-aaam Aliases: CVE-2021-41524	While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.	2.4.50-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-zu48-7k19-aaan Aliases: CVE-2021-41773	A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.	2.4.50-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3cav-6ztc-aaam
Aliases:
CVE-2021-41524

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.

2.4.50-1
Affected by 1 other vulnerability.

VCID-zu48-7k19-aaan
Aliases:
CVE-2021-41773

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.

2.4.50-1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-aruc-3t3r-aaan	A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.	CVE-2021-40438
VCID-fccq-2kpj-aaap	A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).	CVE-2021-36160
VCID-kcnv-z2rj-aaaa	ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.	CVE-2021-39275
VCID-tnr1-zca1-aaaq	Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.	CVE-2021-34798
VCID-z9au-scjh-aaae	A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.	CVE-2021-33193

Vulnerability

Summary

Aliases

VCID-aruc-3t3r-aaan

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVE-2021-40438

VCID-fccq-2kpj-aaap

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

CVE-2021-36160

VCID-kcnv-z2rj-aaaa

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVE-2021-39275

VCID-tnr1-zca1-aaaq

Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVE-2021-34798

VCID-z9au-scjh-aaae

A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

CVE-2021-33193

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T07:45:27.359940+00:00	Arch Linux Importer	Fixing	VCID-z9au-scjh-aaae	https://security.archlinux.org/AVG-2289	36.0.0
2025-03-28T07:45:27.341278+00:00	Arch Linux Importer	Fixing	VCID-tnr1-zca1-aaaq	https://security.archlinux.org/AVG-2289	36.0.0
2025-03-28T07:45:27.322676+00:00	Arch Linux Importer	Fixing	VCID-fccq-2kpj-aaap	https://security.archlinux.org/AVG-2289	36.0.0
2025-03-28T07:45:27.303878+00:00	Arch Linux Importer	Fixing	VCID-kcnv-z2rj-aaaa	https://security.archlinux.org/AVG-2289	36.0.0
2025-03-28T07:45:27.285379+00:00	Arch Linux Importer	Fixing	VCID-aruc-3t3r-aaan	https://security.archlinux.org/AVG-2289	36.0.0
2025-03-28T07:45:25.134164+00:00	Arch Linux Importer	Affected by	VCID-3cav-6ztc-aaam	https://security.archlinux.org/AVG-2442	36.0.0
2025-03-28T07:45:25.115513+00:00	Arch Linux Importer	Affected by	VCID-zu48-7k19-aaan	https://security.archlinux.org/AVG-2442	36.0.0
2024-09-18T02:00:23.400706+00:00	Arch Linux Importer	Fixing	VCID-z9au-scjh-aaae	https://security.archlinux.org/AVG-2289	34.0.1
2024-09-18T02:00:23.378127+00:00	Arch Linux Importer	Fixing	VCID-tnr1-zca1-aaaq	https://security.archlinux.org/AVG-2289	34.0.1
2024-09-18T02:00:23.353260+00:00	Arch Linux Importer	Fixing	VCID-fccq-2kpj-aaap	https://security.archlinux.org/AVG-2289	34.0.1
2024-09-18T02:00:23.329492+00:00	Arch Linux Importer	Fixing	VCID-kcnv-z2rj-aaaa	https://security.archlinux.org/AVG-2289	34.0.1
2024-09-18T02:00:23.304357+00:00	Arch Linux Importer	Fixing	VCID-aruc-3t3r-aaan	https://security.archlinux.org/AVG-2289	34.0.1
2024-09-18T02:00:21.028667+00:00	Arch Linux Importer	Affected by	VCID-3cav-6ztc-aaam	https://security.archlinux.org/AVG-2442	34.0.1
2024-09-18T02:00:21.008174+00:00	Arch Linux Importer	Affected by	VCID-zu48-7k19-aaan	https://security.archlinux.org/AVG-2442	34.0.1
2024-01-03T22:26:38.873501+00:00	Arch Linux Importer	Fixing	VCID-z9au-scjh-aaae	https://security.archlinux.org/AVG-2289	34.0.0rc1
2024-01-03T22:26:38.851579+00:00	Arch Linux Importer	Fixing	VCID-tnr1-zca1-aaaq	https://security.archlinux.org/AVG-2289	34.0.0rc1
2024-01-03T22:26:38.829586+00:00	Arch Linux Importer	Fixing	VCID-fccq-2kpj-aaap	https://security.archlinux.org/AVG-2289	34.0.0rc1
2024-01-03T22:26:38.805412+00:00	Arch Linux Importer	Fixing	VCID-kcnv-z2rj-aaaa	https://security.archlinux.org/AVG-2289	34.0.0rc1
2024-01-03T22:26:38.783437+00:00	Arch Linux Importer	Fixing	VCID-aruc-3t3r-aaan	https://security.archlinux.org/AVG-2289	34.0.0rc1
2024-01-03T22:26:36.644490+00:00	Arch Linux Importer	Affected by	VCID-3cav-6ztc-aaam	https://security.archlinux.org/AVG-2442	34.0.0rc1
2024-01-03T22:26:36.622059+00:00	Arch Linux Importer	Affected by	VCID-zu48-7k19-aaan	https://security.archlinux.org/AVG-2442	34.0.0rc1

2025-03-28T07:45:27.359940+00:00

Arch Linux Importer

Fixing

Next non-vulnerable version	2.4.51-1
Latest non-vulnerable version	2.4.55-1
Risk	10.0