A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

Affected Software

CPE Name Name Version
apache:http_server apache http server 2.4.51
fedoraproject:fedora fedoraproject fedora 34
fedoraproject:fedora fedoraproject fedora 35
fedoraproject:fedora fedoraproject fedora 36
debian:debian_linux debian debian linux 10.0
debian:debian_linux debian debian linux 11.0
tenable:tenable.sc tenable tenable.sc 5.20.0
netapp:cloud_backup netapp cloud backup -
oracle:http_server oracle http server
oracle:instantis_enterprisetrack oracle instantis enterprisetrack 17.1
oracle:instantis_enterprisetrack oracle instantis enterprisetrack 17.2
oracle:instantis_enterprisetrack oracle instantis enterprisetrack 17.3
oracle:http_server oracle http server
oracle:zfs_storage_appliance_kit oracle zfs storage appliance kit 8.8
oracle:communications_operations_monitor oracle communications operations monitor 4.3
oracle:communications_operations_monitor oracle communications operations monitor 4.4
oracle:communications_operations_monitor oracle communications operations monitor 5.0
oracle:communications_element_manager oracle communications element manager 9.0
oracle:communications_session_report_manager oracle communications session report manager 9.0
oracle:communications_session_route_manager oracle communications session route manager 9.0
apple:macos apple macos 10.15.7
apple:mac_os_x apple mac os x 10.15.7
apple:macos apple macos 11.6.6
apple:macos apple macos 12.4