Mattias Åsander

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.0 through 2.4.65 **Description** An issue exists in Apache HTTP Server where improper neutralization of escape, meta, or control sequences can occur through environment variables set via the Apache configuration. This allows unexpectedly superseding of variables calculated by the server for CGI programs. The issue affects the handling of CGI programs and their environment variables. No information was provided regarding the number of potentially affected devices or any real-world incidents where this issue was exploited. The vulnerability involves the manipulation of environment variables used by CGI programs, potentially leading to unexpected behavior or code execution. Specifically, environment variables configured in the Apache configuration can override those calculated by the server itself. **Recommendations** Upgrade to version 2.4.66 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.7 through 2.4.65 **Description** A flaw exists in Apache HTTP Server where a bypass of mod userdir+suexec is possible via the AllowOverride FileInfo functionality. Individuals with the ability to utilize the `RequestHeader` directive within an htaccess file can potentially cause CGI scripts to execute under an unintended user ID. **Recommendations** Upgrade to version 2.4.66 to resolve this issue.