VulnerableCode Package Details - pkg:deb/ubuntu/apache2@2.4.41-4ubuntu3.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-aruc-3t3r-aaan Aliases: CVE-2021-40438	A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.	2.4.41-4ubuntu3.6 Affected by 0 other vulnerabilities.
VCID-fccq-2kpj-aaap Aliases: CVE-2021-36160	A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).	2.4.41-4ubuntu3.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-kcnv-z2rj-aaaa Aliases: CVE-2021-39275	ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.	2.4.41-4ubuntu3.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-tnr1-zca1-aaaq Aliases: CVE-2021-34798	Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.	2.4.41-4ubuntu3.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-z9au-scjh-aaae Aliases: CVE-2021-33193	A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.	2.4.41-4ubuntu3.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-aruc-3t3r-aaan
Aliases:
CVE-2021-40438

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

2.4.41-4ubuntu3.6
Affected by 0 other vulnerabilities.

VCID-fccq-2kpj-aaap
Aliases:
CVE-2021-36160

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

2.4.41-4ubuntu3.5
Affected by 1 other vulnerability.

VCID-kcnv-z2rj-aaaa
Aliases:
CVE-2021-39275

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

2.4.41-4ubuntu3.5
Affected by 1 other vulnerability.

VCID-tnr1-zca1-aaaq
Aliases:
CVE-2021-34798

Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

2.4.41-4ubuntu3.5
Affected by 1 other vulnerability.

VCID-z9au-scjh-aaae
Aliases:
CVE-2021-33193

A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

2.4.41-4ubuntu3.5
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-2dyn-1fxu-aaaa	Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service	CVE-2020-13950
VCID-38cq-p1jy-aaag	Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'	CVE-2021-30641
VCID-6cg8-antz-aaap	Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service	CVE-2021-26690
VCID-cspd-eg4d-aaaf	In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow	CVE-2021-26691
VCID-qz6b-x9ps-aaae	Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow	CVE-2020-35452

Vulnerability

Summary

Aliases

VCID-2dyn-1fxu-aaaa

Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service

CVE-2020-13950

VCID-38cq-p1jy-aaag

Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

CVE-2021-30641

VCID-6cg8-antz-aaap

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service

CVE-2021-26690

VCID-cspd-eg4d-aaaf

In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow

CVE-2021-26691

VCID-qz6b-x9ps-aaae

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow

CVE-2020-35452

Next non-vulnerable version	2.4.41-4ubuntu3.6
Latest non-vulnerable version	2.4.41-4ubuntu3.6
Risk	10.0