Lucene search

K
rosalinuxROSA LABROSA-SA-2023-2160
HistoryApr 25, 2023 - 12:02 p.m.

Advisory ROSA-SA-2023-2160

2023-04-2512:02:31
ROSA LAB
abf.rosalinux.ru
11

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%

Software: httpd 2.4.37
OS: ROSA Virtualization 2.1

package_evr_string: 2.4.37

CVE-ID: CVE-2021-36160
BDU-ID: 2021-06099
CVE-Crit: HIGH
CVE-DESC: A vulnerability in the mod_proxy_uwsgi function of the Apache HTTP Server web server is related to reading data outside of the specified buffer. Exploitation of the vulnerability could allow an attacker acting remotely to cause application denial of service via uri-path request
CVE-STATUS: Resolved
CVE-REV: To close, run yum update httpd command

CVE-ID: CVE-2021-39275
BDU-ID: 2022-00203
CVE-Crit: HIGH
CVE-DESC: A vulnerability in the ap_escape_quotes() function of the Apache HTTP Server web server is related to a lack of input validation in the function. Exploitation of the vulnerability could allow an attacker acting remotely to gain access to sensitive data, compromise its integrity, and cause denial of service
CVE-STATUS: Resolved
CVE-REV: To close, run the yum update httpd command

CVE-ID: CVE-2021-40438
BDU-ID: 2021-04820
CVE-Crit: HIGH
CVE-DESC: A vulnerability in the mod_proxy module of the Apache HTTP Server web server is related to insufficient validation of incoming requests. Exploitation of the vulnerability could allow an attacker acting remotely to launch an SSRF attack
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update httpd command.

CVE-ID: CVE-2021-44224
BDU-ID: 2021-06393
CVE-Crit: HIGH
CVE-DESC: A vulnerability in the Apache HTTP server is related to server-side request forgery. Exploitation of the vulnerability could allow an attacker acting remotely to conduct an SSRF attack by sending a specially crafted HTTP request
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update httpd command

CVE-ID: CVE-2021-44790
BDU-ID: 2021-06392
CVE-Crit: CRITICAL.
CVE-DESC: A vulnerability in the Apache HTTP server is related to an operation exceeding the buffer boundary in memory. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code by sending a specially crafted HTTP request
CVE-STATUS: Fixed
CVE-REV: To close, execute yum update httpd command

CVE-ID: CVE-2022-22719
BDU-ID: 2022-01457
CVE-Crit: HIGH
CVE-DESC: A vulnerability in the Apache HTTP Server web server is related to input validation flaws. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service by sending specially generated data to the application
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update httpd command

CVE-ID: CVE-2022-22720
BDU-ID: 2022-01456
CVE-Crit: MEDIUM
CVE-DESC: A vulnerability in the Apache HTTP Server web server is related to flaws in HTTP request processing. Exploitation of the vulnerability could allow an attacker acting remotely to perform an HTTP request smuggling attack
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update httpd command

CVE-ID: CVE-2022-22721
BDU-ID: 2022-01455
CVE-Crit: CRITICAL.
CVE-DESC: A vulnerability in Apache HTTP Server web server is related to an operation exceeding buffer boundaries in memory. Exploitation of the vulnerability could allow an attacker acting remotely to cause arbitrary code to be executed
CVE-STATUS: Fixed
CVE-REV: To close, run yum update httpd

CVE-ID: CVE-2022-23943
BDU-ID: 2022-01461
CVE-Crit: CRITICAL.
CVE-DESC: A vulnerability in Apache HTTP Server web server is related to writing outside the memory buffer. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code
CVE-STATUS: Resolved
CVE-REV: To close, run yum update httpd command

CVE-ID: CVE-2022-26377
BDU-ID: 2022-04115
CVE-Crit: MEDIUM
CVE-DESC: A vulnerability in the mod_proxy_ajp module of the Apache HTTP Server web server is related to improper validation of HTTP requests. Exploitation of the vulnerability could allow an attacker acting remotely to send a hidden HTTP request (HTTP Request Smuggling attack).
CVE-STATUS: Fixed
CVE-REV: To close, run the yum update httpd command.

OSVersionArchitecturePackageVersionFilename
ROSAanynoarchhttpd< 2.4.37UNKNOWN

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%