According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.49. It is, therefore, affected by multiple vulnerabilities:
A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. (CVE-2021-33193)
Malformed requests may cause the server to dereference a NULL pointer. (CVE-2021-34798)
A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). (CVE-2021-36160)
ap_escape_quotes() may write beyond the end of a buffer when given malicious input. (CVE-2021-39275)
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. (CVE-2021-40438)
Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.
No source data
Vendor | Product | Version | CPE |
---|---|---|---|
apache | http_server | * | cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33193
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34798
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39275
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40438
archive.apache.org/dist/httpd/CHANGES_2.4.49
httpd.apache.org/security/vulnerabilities_24.html#2.4.49