CVE-2021-44790: 
Apache HTTP Server vulnerability analysis and mitigation

A carefully crafted request body can cause a buffer overflow in the modlua multipart parser (r:parsebody() called from Lua scripts) in Apache HTTP Server 2.4.51 and earlier. The vulnerability was discovered on December 7, 2021 and publicly disclosed on December 20, 2021. The Apache httpd team was not aware of an exploit for the vulnerability at the time of disclosure, though they noted it might be possible to craft one ([Apache Security](http://httpd.apache.org/security/vulnerabilities24.html), OSS Security).

The vulnerability exists in the mod_lua module's multipart parser functionality, specifically in the r:parsebody() function that can be called from Lua scripts. When processing a specially crafted request body, a buffer overflow condition can occur. The vulnerability has been assigned CVE-2021-44790 and received a CVSS v3.1 base score of 9.8 (CRITICAL), indicating the highest severity level (NVD).

If successfully exploited, this vulnerability could lead to arbitrary code execution on affected systems. The buffer overflow condition could allow an attacker to execute malicious code with the privileges of the Apache web server process. This could potentially lead to complete system compromise (Rapid7).

The vulnerability was fixed in Apache HTTP Server version 2.4.52. Users are strongly recommended to upgrade to this version or later. For systems that cannot be immediately upgraded, it's worth noting that mod_lua is not enabled by default in Apache's package configuration in some distributions like Ubuntu (Ubuntu Security).

The vulnerability received significant attention from major technology companies and security vendors. Apple, Red Hat, and other major vendors issued security advisories and patches for their products that incorporate Apache HTTP Server. Multiple Linux distributions including Debian, Fedora, and Ubuntu released security updates to address the vulnerability (Debian Security, Fedora Update).