PT-2021-5758 · Apache+9 · Apache Http Server+9

Clusterfuzz

·

Published

2021-08-04

·

Updated

2025-05-01

·

CVE-2021-39275

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.48 and earlier
Description The issue is related to the ap escape quotes() function, which may write beyond the end of a buffer when given malicious input. Although no included modules pass untrusted data to these functions, third-party or external modules may. This could allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service.
Recommendations For Apache HTTP Server versions 2.4.48 and earlier, consider disabling the ap escape quotes() function until a patch is available to prevent potential buffer overflow issues. Additionally, restrict the use of third-party or external modules that may pass untrusted data to this function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

ALSA-2022:0891
ALT-PU-2021-2866
ALT-PU-2021-2972
ALT-PU-2021-3037
ALT-PU-2021-3060
AZL-6486
BDU:2022-00203
BIT-APACHE-2021-39275
CESA-2022_0143
CESA-2022_0891
CVE-2021-39275
DLA-2776-1
DSA-4982-1
MGASA-2021-0439
OESA-2021-1387
OPENSUSE-SU-2021:1438-1
OPENSUSE-SU-2021:3522-1
OPENSUSE-SU-2021_1438-1
OPENSUSE-SU-2021_3522-1
RHSA-2022:0143
RHSA-2022:0891
RHSA-2022:6753
RHSA-2022:7143
RHSA-2022_0143
RHSA-2022_0891
RLSA-2022:0891
ROSA-SA-2023-2158
SUSE-SU-2021:14811-1
SUSE-SU-2021:3299-1
SUSE-SU-2021:3335-1
SUSE-SU-2021:3522-1
SUSE-SU-2021_14811-1
USN-5090-1
USN-5090-2
USN-5090-3
USN-5090-4

Affected Products

Alt Linux
Almalinux
Apache Http Server
Astra Linux
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu