CVE-2021-30641

high-risk

Published 2021-06-10

Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

Do I need to act?

36.4% chance of exploitation in next 30 days

EPSS score — higher than 64% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Http Server

Debian Linux

Fedora

Enterprise Manager Ops Center

Instantis Enterprisetrack

Zfs Storage Appliance Kit

Debian Apache Oracle Fedoraproject

Vendor Advisory http://httpd.apache.org/security/vulnerabilities_24.html

Mailing List http://www.openwall.com/lists/oss-security/2021/06/10/8

Mailing List https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62...

Mailing List https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html

Third Party Advisory https://security.gentoo.org/glsa/202107-38

Third Party Advisory https://security.netapp.com/advisory/ntap-20210702-0001/

Third Party Advisory https://www.debian.org/security/2021/dsa-4937

Third Party Advisory https://www.oracle.com/security-alerts/cpuoct2021.html

Vendor Advisory http://httpd.apache.org/security/vulnerabilities_24.html

Mailing List http://www.openwall.com/lists/oss-security/2021/06/10/8

Mailing List https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62...

Mailing List https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html

and 4 more references

/ 100

high-risk

Severity 21/34 · High

Exploitability 16/34 · Moderate

Exposure 16/34 · Moderate