After the critical Remote Code Execution vulnerability found in the Apache Log4j logging library, another High severity vulnerability was patched by the Apache team in a different product.
Recently, Apache HTTP Server released a security update that fixes server-side request forgery (SSRF) and buffer overflow vulnerabilities in Apache HTTP Server. Attackers can use these vulnerabilities to carry out server-side request forgery and buffer overflow attacks.
Apache HTTP Server is a multi-modular server. After many modifications, it has become the world's number one Web server software. It can run on almost all widely used computer platforms. The Apache server is characterized by simple use, fast speed, stable performance, and can be used as a load balancing and proxy server.
The server-side request forgery (SSRF) vulnerability tracked as CVE-2021-44224 is been marked with moderate severity. The vulnerability exists due to insufficient verification of the input provided by the user in the forward proxy configuration. A remote attacker can send a specially crafted HTTP request and trick the Web server to initiate a request to any system or cause a NULL pointer to dereference error and crash the Web server. Successful exploitation of this vulnerability could allow remote attackers to access sensitive data located in the local network or send malicious requests from vulnerable systems to other servers. This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
The buffer overflow vulnerabilities in Apache HTTP Server tracked as CVE-2021-44790 is been marked high severity. The vulnerability exists due to boundary errors when parsing multipart content in mod_lua. A remote attacker can send a specially crafted HTTP request to the affected Web server, trigger a buffer overflow and execute arbitrary code on the target system.
|CVE-2021-44790||Buffer overflow||High Risk||Unknown||Unknown|