CVE-2021-36160

CWE-125Out-of-bounds ReadCWE-120Classic Buffer OverflowCWE-476NULL Pointer DereferenceCWE-918Server-Side Request Forgery (SSRF)11 documents10 sources
Severity
7.5HIGH
EPSS
3.7%
top 12.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
10
Apache Http ServerApache Software Foundation Apache Http ServerDebian Debian Linux+7 more
Timeline
PublishedSep 16
Latest updateMay 24

Description

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages9 packages

NVDapache/http_server2.4.302.4.49
CVEListV5apache_software_foundation/apache_http_serverApache HTTP Server 2.42.4.48
NVDoracle/http_server12.2.1.3.0, 12.2.1.4.0+1
Debianapache2< 2.4.51-1~deb11u1+3
NVDoracle/instantis_enterprisetrack17.1, 17.2, 17.3+2

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 34, 35

Patches

Patch: lists.apache.orgPatch: lists.apache.orgPatch: lists.apache.org

🔴Vulnerability Details

4
GHSA
GHSA-f4wr-wvqf-r2q5: A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS)2022-05-24
OSV
apache2 vulnerabilities2021-09-27
OSV
CVE-2021-36160: A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS)2021-09-16
CVEList
mod_proxy_uwsgi out of bound read2021-09-16

📋Vendor Advisories

6
Cisco
Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 20212021-11-24
Ubuntu
Apache HTTP Server vulnerabilities2021-09-27
Red Hat
httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path2021-09-16
Microsoft
mod_proxy_uwsgi out of bound read2021-09-14
Debian
CVE-2021-36160: apache2 - A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the...2021