CVE-2021-44790 — Possible buffer overflow when parsing multipart content in mod_lua of Apache HTT

Description

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

How to fix CVE-2021-44790

To remediate CVE-2021-44790, upgrade the affected package to a fixed version below.

—upgrade to 2.4.52-r0 or later
—upgrade to 2.4.52 or later
—upgrade to 2.4.52-1~deb11u2 or later

Is CVE-2021-44790 being exploited?

Likely — EPSS is 86.2%, placing CVE-2021-44790 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

from 0, < 2.4.52-r0
from 0, < 2.4.52
from 0, < 2.4.52-1~deb11u2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (23)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2021-44790
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-44790
WEBhttpd.apache.org/security/vulnerabilities_24.html
WEBpacketstormsecurity.com/files/171631/Apache-2.4.x-Buffer-Overflow.html