CVE-2021-36160

high-risk

Published 2021-09-16

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

Do I need to act?

3.7% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Http Server

Fedora

Debian Linux

Cloud Backup

Clustered Data Ontap

Storagegrid

Communications Cloud Native Core Network Function Cloud Native Environment

Enterprise Manager Base Platform

Http Server

Instantis Enterprisetrack

Peoplesoft Enterprise Peopletools

Zfs Storage Appliance Kit

Brocade Fabric Operating System Firmware

Affected Vendors

Debian Apache Oracle Broadcom Fedoraproject Netapp

References (48)

Release Notes http://httpd.apache.org/security/vulnerabilities_24.html

Patch https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d1104379...

Patch https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a14...

Patch https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156...

Patch https://lists.apache.org/thread.html/r73260f6ba9fb52e43d860905fc90462ba5a814afda...

Patch https://lists.apache.org/thread.html/r7f2746e916ed370239bc1a1025e5ebbf345f79df9e...

Patch https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b318...

Patch https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c...

Patch https://lists.apache.org/thread.html/r94a61a1517133a19dcf40016e87454ea86e355d06a...

Patch https://lists.apache.org/thread.html/ra1c05a392587bfe34383dffe1213edc425de8d4afc...

Patch https://lists.apache.org/thread.html/ra87a69d0703d09dc52b86e32b08f8d7327af10acdd...

Patch https://lists.apache.org/thread.html/rb2341c8786d0f9924f5b666e82d8d170b4804f50a5...

Patch https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733aba...

Patch https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2...

Mailing List https://lists.debian.org/debian-lts-announce/2021/09/msg00016.html

Mailing List https://lists.debian.org/debian-lts-announce/2021/10/msg00016.html

Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202208-20

Third Party Advisory https://security.netapp.com/advisory/ntap-20211008-0004/

and 28 more references

/ 100

high-risk

Severity 26/34 · High

Exploitability 7/34 · Low

Exposure 20/34 · Moderate