Bug 2005119 (CVE-2021-39275)
| Summary: | CVE-2021-39275 httpd: Out-of-bounds write in ap_escape_quotes() via malicious input | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | anon.amish, aogburn, asoldano, atangrin, bbaranow, bmalviya, bmaxwell, bnater, brian.stansberry, caswilli, cdewolf, cfeng, chazlett, csutherl, darran.lofthouse, dkreling, dosoudil, eleandro, fjansen, fjuma, gzaronik, hhorak, iweiss, jclere, jkaluza, jnakfour, jochrist, jorton, jpallich, jperkins, jwong, jwon, kaycoth, krathod, kwills, lgao, luhliari, msochure, msvehla, mturk, nwallace, oliver.erdi, pahan, pjindal, pmackay, rguimara, rschiron, rstancel, rsvoboda, smaestri, szappis, tom.jenkinson, yborgess, ykhutale, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | httpd 2.4.49 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An out-of-bounds write in function ap_escape_quotes of httpd allows an unauthenticated remote attacker to crash the server or potentially execute code on the system with the privileges of the httpd user, by providing malicious input to the function.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-01-17 10:01:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2005120, 2007194, 2007195, 2007196, 2007197, 2009780, 2009781, 2027868, 2031074, 2057087, 2057463, 2059257 | ||
| Bug Blocks: | 2005130 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-09-16 20:22:56 UTC
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 2005120] This vulnerability is out of security support scope for the following product: * Red Hat JBoss Enterprise Application Platform 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Hi, May I know when to fix this in Red Hat JBoss Core Service of fjbcs-httpd24-httpd ? Thakns Hunter This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:0143 https://access.redhat.com/errata/RHSA-2022:0143 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-39275 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0891 https://access.redhat.com/errata/RHSA-2022:0891 May I know when to fix this in Red Hat JBoss Core Service of fjbcs-httpd24-httpd ? This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:6753 https://access.redhat.com/errata/RHSA-2022:6753 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2022:7144 https://access.redhat.com/errata/RHSA-2022:7144 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2022:7143 https://access.redhat.com/errata/RHSA-2022:7143 |