Vulnerability DatabaseCVE-2021-39275

CVE-2021-39275:
Apache HTTP Server vulnerability analysis and mitigation

Overview

CVE-2021-39275 affects Apache HTTP Server 2.4.48 and earlier versions. The vulnerability was discovered in the apescapequotes() function which may write beyond the end of a buffer when given malicious input. While no included modules pass untrusted data to these functions, third-party or external modules may be affected (Apache HTTP Server).

Technical details

The vulnerability exists in the apescapequotes() function which can perform an out-of-bounds write operation when processing malicious input. The issue was discovered through ClusterFuzz testing (Apache HTTP Server). The vulnerability has a CVSS base score of 9.8 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Ubuntu CVE).

Impact

A successful exploitation of this vulnerability could lead to buffer overflow, potentially allowing an attacker to execute arbitrary code or cause a denial of service condition. However, the impact is limited since no included Apache modules pass untrusted data to these functions, though third-party modules may be affected (Red Hat CVE).

Mitigation and workarounds

The vulnerability was fixed in Apache HTTP Server version 2.4.49. Users are recommended to upgrade to this version or later. No workarounds are available - the best mitigation is to upgrade to a patched version (Apache HTTP Server).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

9.8

Score

Published September 16, 2021

Severity CRITICAL

CNA Score N/A

Affected Technologies

Apache HTTP Server
Alma Linux

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 97.5

Exploitation Probability (EPSS) 44.8

Affected packages and libraries

mod_ldap
mod_session-debuginfo

Sources

AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: Jul 20, 2022
Alpine Security Tracker
- Alpine 3.11, 3.12, 3.13, 3.14 Severity CRITICALHas FixAdded at: Nov 23, 2021
- Alpine 3.15 Severity CRITICALHas FixAdded at: Nov 25, 2021
- Alpine 3.16 Severity CRITICALHas FixAdded at: May 24, 2022
- Alpine 3.17 Severity CRITICALHas FixAdded at: Nov 23, 2022
- Alpine 3.18 Severity CRITICALHas FixAdded at: May 10, 2023
- Alpine 3.19 Severity CRITICALHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity CRITICALHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity CRITICALHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity CRITICALHas FixAdded at: Jun 01, 2025
- Alpine edge Severity CRITICALHas FixAdded at: Jun 19, 2023
CBL-Mariner
- CBL-Mariner 1.0, 2.0 Severity CRITICALHas FixAdded at: Jun 10, 2023
Debian Security Tracker
- Debian 9, 10, 11, 12 Severity CRITICALHas FixAdded at: Nov 23, 2021
- Debian 13 Severity CRITICALHas FixAdded at: Jun 11, 2023
- Debian 14 Severity CRITICALHas FixAdded at: Aug 10, 2025
Gentoo Advisory Database
- Gentoo Severity HIGHHas FixAdded at: Aug 14, 2022
Photon Security Advisory
- Photon 1.0, 2.0, 3.0 Severity CRITICALHas FixAdded at: Nov 23, 2021
Red Hat Errata
- Red Hat 6 Severity MEDIUMNo FixAdded at: Nov 23, 2021
- Red Hat 7 Severity MEDIUMHas FixAdded at: Nov 23, 2021
- Red Hat 8 Severity MEDIUMHas FixAdded at: Nov 23, 2021
Ubuntu Security Tracker
- Ubuntu 14.04, 16.04 Severity MEDIUMHas FixAdded at: Mar 28, 2022
- Ubuntu 18.04, 20.04, 21.04 Severity MEDIUMHas FixAdded at: Nov 23, 2021
- Ubuntu 21.10, 22.04 Severity MEDIUMHas FixAdded at: Nov 01, 2022
NVD
- Linux Severity CRITICALHas FixAdded at: Nov 23, 2021
- Windows Severity CRITICALHas FixAdded at: Nov 23, 2021