Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
rosalinuxROSA LABROSA-SA-2023-2155
HistoryApr 18, 2023 - 12:09 p.m.

Advisory ROSA-SA-2023-2155

2023-04-1812:09:43
ROSA LAB
abf.rosalinux.ru
21

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.307 Low

EPSS

Percentile

96.9%

JSON

Software: mod_http2 1.15.7
OS: ROSA Virtualization 2.1

package_evr_string: 1.15.7

CVE-ID: CVE-2020-11993
BDU-ID: 2021-00779
CVE-Crit: MEDIUM
CVE-DESC: A vulnerability in the Apache HTTP Server’s implementation of the HTTP/2 web server mechanism is related to inconsistent interpretation of http requests. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service or lead to server misconfiguration
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update mod_http2 command

CVE-ID: CVE-2021-33193
BDU-ID: 2021-04216
CVE-Crit: MEDIUM
CVE-DESC: A vulnerability in the mod_proxy module of the mod_proxy httpd daemon of the Apache HTTP Server web server is related to flaws in HTTP request handling. Exploitation of the vulnerability could allow an attacker acting remotely to send a hidden HTTP request (HTTP Request Smuggling attack).
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update mod_http2 command.

CVE-ID: CVE-2021-44224
BDU-ID: 2021-06393
CVE-Crit: HIGH
CVE-DESC: A vulnerability in the Apache HTTP server is related to server-side request forgery. Exploitation of the vulnerability could allow an attacker acting remotely to conduct an SSRF attack by sending a specially crafted HTTP request
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update mod_http2 command.

CVE-ID: CVE-2023-25690
BDU-ID: 2023-01738
CVE-Crit: CRITICAL
CVE-DESC: A vulnerability in the mod_proxy module of the Apache HTTP Server web server is related to flaws in the handling of the Transfer-Encoding header. Exploitation of the vulnerability could allow an attacker acting remotely to send a stealthy HTTP request (HTTP Request Smuggling attack)
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update mod_http2 command.

OSVersionArchitecturePackageVersionFilename
ROSAanynoarchmod_http2< 1.15.7UNKNOWN

Related

ibm 18
nessus 53
redhat 11
oraclelinux 5
rocky 5
almalinux 3
osv 18
openvas 24
cbl_mariner 7
prion 4
alpinelinux 4
redhatcve 4
suse 3
veracode 4
cve 4
ubuntucve 4
httpd 3
debiancve 4
zdt 2
hackerone 1
f5 3
photon 3
checkpoint_advisories 1
cnvd 1
ubuntu 1
githubexploit 2
packetstorm 1
fedora 2
altlinux 1
amazon 2
freebsd 1
ibm
ibm
Security Bulletin: Vulnerabilities in Apache HTTP (CVE-2021-33193 and CVE-2021-44224) affects Power HMC
2022-12-04 00:13:21
Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-44224)
2022-01-17 18:32:06
Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-33193)
2022-01-17 18:26:42
nessus
nessus
AlmaLinux 8 : httpd:2.4 (ALSA-2022:1915)
2022-05-12 00:00:00
Oracle Linux 8 : httpd:2.4 (ELSA-2022-1915)
2022-05-18 00:00:00
Rocky Linux 8 : httpd:2.4 (RLSA-2022:1915)
2023-11-06 00:00:00
redhat
redhat
(RHSA-2022:1915) Moderate: httpd:2.4 security and bug fix update
2022-05-10 08:07:40
(RHSA-2022:7143) Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 security update
2022-10-26 20:05:14
(RHSA-2023:1670) Important: httpd and mod_http2 security update
2023-04-06 14:39:22
oraclelinux
oraclelinux
httpd:2.4 security and bug fix update
2022-05-17 00:00:00
httpd:2.4 security update
2022-04-13 00:00:00
httpd and mod_http2 security update
2023-04-06 00:00:00
rocky
rocky
httpd:2.4 security and bug fix update
2022-05-10 08:07:40
httpd bug fix update
2023-05-25 19:53:09
httpd and mod_http2 security update
2023-04-12 01:41:37
almalinux
almalinux
Moderate: httpd:2.4 security and bug fix update
2022-05-10 08:07:40
Important: httpd and mod_http2 security update
2023-04-06 00:00:00
Important: httpd:2.4 security update
2023-04-06 00:00:00
osv
osv
Moderate: httpd:2.4 security and bug fix update
2022-05-10 08:07:40
Moderate: httpd:2.4 security and bug fix update
2022-05-10 08:07:40
CVE-2020-11993
2020-08-07 16:15:11
openvas
openvas
openSUSE: Security Advisory for apache2 (openSUSE-SU-2021:1234-1)
2021-09-08 00:00:00
Apache HTTP Server 2.4.17 < 2.4.49 'mod_proxy' HTTP/2 Request Smuggling Vulnerability - Linux
2021-08-09 00:00:00
openSUSE: Security Advisory for apache2 (openSUSE-SU-2021:2954-1)
2021-09-04 00:00:00
cbl_mariner
cbl_mariner
CVE-2021-33193 affecting package httpd 2.4.46-10
2022-04-09 06:51:57
CVE-2021-44224 affecting package httpd 2.4.46-10
2022-04-09 06:51:57
CVE-2020-11993 affecting package httpd 2.4.43-
2021-07-08 21:56:40
prion
prion
Information disclosure
2020-08-07 16:15:00
Input validation
2021-08-16 08:15:00
Design/Logic Flaw
2021-12-20 12:15:00
alpinelinux
alpinelinux
CVE-2020-11993
2020-08-07 16:15:00
CVE-2021-33193
2021-08-16 08:15:00
CVE-2021-44224
2021-12-20 12:15:00
redhatcve
redhatcve
CVE-2020-11993
2020-08-11 20:13:36
CVE-2021-33193
2021-08-12 02:03:43
CVE-2021-44224
2021-12-21 17:04:16
suse
suse
Security update for apache2 (important)
2021-09-07 00:00:00
Security update for apache2 (important)
2021-09-03 00:00:00
Security update for apache2 (important)
2020-10-31 00:00:00
veracode
veracode
Privilege Escalation
2021-08-13 01:56:49
Denial Of Service (DoS)
2021-12-21 08:11:59
Denial Of Service (DoS)
2020-08-11 03:25:00
cve
cve
CVE-2020-11993
2020-08-07 16:15:00
CVE-2021-33193
2021-08-16 08:15:00
CVE-2021-44224
2021-12-20 12:15:00
ubuntucve
ubuntucve
CVE-2020-11993
2020-08-07 00:00:00
CVE-2021-33193
2021-08-16 00:00:00
CVE-2021-44224
2021-12-20 00:00:00
httpd
httpd
Apache Httpd < 2.4.44 : Push Diary Crash on Specifically Crafted HTTP/2 Header
2020-06-16 00:00:00
Apache Httpd < 2.4.49 : Request splitting via HTTP/2 method injection and mod_proxy
2021-05-11 00:00:00
Apache Httpd < 2.4.52 : Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier
2021-12-20 00:00:00
debiancve
debiancve
CVE-2020-11993
2020-08-07 16:15:00
CVE-2021-33193
2021-08-16 08:15:00
CVE-2021-44224
2021-12-20 12:15:00
zdt
zdt
Apache 2 HTTP2 Module Concurrent Pool Usage Vulnerability
2020-12-08 00:00:00
Apache 2.4.55 mod_proxy HTTP Request Smuggling Exploit
2024-01-02 00:00:00
hackerone
hackerone
Internet Bug Bounty: Request line injection via HTTP/2 in Apache mod_proxy
2021-11-04 13:39:46
f5
f5
K94828628 : Apache mod_proxy HTTP/2 vulnerability CVE-2021-33193
2021-09-13 00:00:00
K16090693 : Apache HTTP server vulnerability CVE-2021-44224
2021-12-27 00:00:00
K000133098 : Apache vulnerability CVE-2023-25690
2023-03-22 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2021-0305
2021-09-24 00:00:00
Critical Photon OS Security Update - PHSA-2020-0125
2020-08-12 00:00:00
Important Photon OS Security Update - PHSA-2021-3.0-0305
2021-09-24 00:00:00
checkpoint_advisories
checkpoint_advisories
Apache httpd mod_proxy NULL Pointer Dereference (CVE-2021-44224)
2022-11-21 00:00:00
cnvd
cnvd
Apache HTTP Server code issue vulnerability
2021-12-24 00:00:00
ubuntu
ubuntu
Apache HTTP Server vulnerability
2023-03-22 00:00:00
githubexploit
githubexploit
Exploit for HTTP Request Smuggling in Apache Http Server
2023-05-22 03:06:31
Exploit for HTTP Request Smuggling in Apache Http Server
2023-12-04 16:58:53
packetstorm
packetstorm
Apache 2.4.55 mod_proxy HTTP Request Smuggling
2024-01-02 00:00:00
fedora
fedora
[SECURITY] Fedora 31 Update: mod_http2-1.15.14-1.fc31
2020-08-26 14:41:04
[SECURITY] Fedora 32 Update: mod_http2-1.15.14-1.fc32
2020-08-21 01:11:28
altlinux
altlinux
Security fix for the ALT Linux 10 package apache2 version 1:2.4.52-alt1
2021-12-27 00:00:00
amazon
amazon
Important: httpd24
2022-01-18 20:14:00
Important: mod_http2
2020-09-15 17:44:00
freebsd
freebsd
Apache httpd -- Multiple vulnerabilities
2021-12-20 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.307 Low

EPSS

Percentile

96.9%

JSON
Related for ROSA-SA-2023-2155
ibm18nessus53redhat11oraclelinux5rocky5almalinux3osv18openvas24cbl_mariner7prion4alpinelinux4redhatcve4suse3veracode4cve4ubuntucve4httpd3debiancve4zdt2hackerone1f53photon3checkpoint_advisories1cnvd1ubuntu1githubexploit2packetstorm1fedora2altlinux1amazon2freebsd1