mod_session NULL pointer dereference
CVE-2021-26690
7.5HIGH
Key Information:
- Vendor
Apache
- Status
- Vendor
- CVE Published:
- 10 June 2021
Badges
👾 Exploit Exists🟡 Public PoC🟣 EPSS 59%
What is CVE-2021-26690?
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service
Affected Version(s)
Apache HTTP Server 2.4.46
Apache HTTP Server 2.4.43
Apache HTTP Server 2.4.41
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
59% chance of being exploited in the next 30 days.
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
- 👾
Exploit known to exist
- 🟡
Public PoC available
Vulnerability published
Vulnerability Reserved
Credit
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales)