CVE-2021-26690

Advisory lineage Upstream: 0 Downstream: 15
Modified
Published: 10 Jun 2021, 07:10
Last modified:03 Aug 2024, 20:33

Vulnerability Summary

Overall Risk (default)
medium
42/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
60.35% CRITICAL
60% probability -8.26%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

10 Jun 2021, 07:10
Published
Vulnerability first disclosed
03 Aug 2024, 20:33
Last Modified
Vulnerability information updated

Description

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 60.35% Percentile: 98%

Techniques & Countermeasures

  • CWE-476NULL Pointer Dereference

    The product dereferences a pointer that it expects to be valid but is NULL.

Affected Systems

  • apache software foundationapache http server

    2.4.46 | 2.4.43 | 2.4.41 | 2.4.39 | 2.4.38 | 2.4.37 | 2.4.35 | 2.4.34 | 2.4.33 | 2.4.29 | 2.4.28 | 2.4.27 | 2.4.26 | 2.4.25 | 2.4.23 | 2.4.20 | 2.4.18 | 2.4.17 | 2.4.16 | 2.4.12 | 2.4.10 | 2.4.9 | 2.4.7 | 2.4.6 | 2.4.4 | 2.4.3 | 2.4.2 | 2.4.1 | 2.4.0

  • UnknownHTTP Server

    ≥ 2.4.0, ≤ 2.4.46

  • debiandebian_linux

    9.0 | 10.0

  • fedoraprojectfedora

    34 | 35

  • oracleenterprise_manager_ops_center

    12.4.0.0

  • oracleinstantis_enterprisetrack

    17.1 | 17.2 | 17.3

  • oraclezfs_storage_appliance_kit

    8.8

References (12)