Vulnerability in Apache HTTP Server

Published on 10 Jan 2022

Updated on 11 Jan 2022

Security researchers have discovered a buffer overflow vulnerability (CVE-2021-44790) in Apache HTTP Server. Successful exploitation could allow an attacker to perform a remote code execution attack.

The vulnerability is exploited through a carefully crafted request body which could cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).

This vulnerability affects Apache HTTP Server versions 2.4.51 and earlier. Administrators of the affected versions are advised to upgrade to the latest Apache HTTP Server version 2.4.52 immediately.

More information is available here:
https://httpd.apache.org/security/vulnerabilities_24.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44790
https://nvd.nist.gov/vuln/detail/CVE-2021-44790
https://portswigger.net/daily-swig/internet-bug-bounty-high-severity-vulnerability-in-apache-http-server-could-lead-to-rce