CVE-2021-26691

Advisory lineage Upstream: 0 Downstream: 16

Downstream

ALPINE-CVE-2021-26691 DEBIAN-CVE-2021-26691 DLA-2706-1 DSA-4937-1 MGASA-2021-0265 OPENSUSE-SU-2021:0908-1

Modified

Published: 10 Jun 2021, 07:10

Last modified:03 Aug 2024, 20:33

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (nvd)

EPSS Score

47.82% HIGH

48% probability +11.55%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

10 Jun 2021, 07:10

Published

Vulnerability first disclosed

03 Aug 2024, 20:33

Last Modified

Vulnerability information updated

Description

In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow

CVSS Metrics

v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 47.82%• Percentile: 98%

Techniques & Countermeasures

CWE-787•Out-of-bounds Write
The product writes data past the end, or before the beginning, of the intended buffer.
CWE-122•Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Affected Systems

apache software foundation•apache http server
2.4.46 | 2.4.43 | 2.4.41 | 2.4.39 | 2.4.38 | 2.4.37 | 2.4.35 | 2.4.34 | 2.4.33 | 2.4.29 | 2.4.28 | 2.4.27 | 2.4.26 | 2.4.25 | 2.4.23 | 2.4.20 | 2.4.18 | 2.4.17 | 2.4.16 | 2.4.12 | 2.4.10 | 2.4.9 | 2.4.7 | 2.4.6 | 2.4.4 | 2.4.3 | 2.4.2 | 2.4.1 | 2.4.0
Unknown•HTTP Server
≥ 2.4.0, ≤ 2.4.46
debian•debian_linux
9.0 | 10.0
fedoraproject•fedora
34 | 35
netapp•cloud_backup
na
oracle•enterprise_manager_ops_center
12.4.0.0
oracle•instantis_enterprisetrack
17.1 | 17.2 | 17.3
oracle•secure_backup
< 18.1.0.1.0
oracle•zfs_storage_appliance_kit
8.8