Vulnerability Details : CVE-2021-26691

In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
Publish Date : 2021-06-10 Last Update Date : 2021-09-20

Collapse All Expand All Select Select&Copy	Scroll To Vendor Statements(0) Additional Vendor Data(0) OVAL Definitions(0) Vulnerable Products(0) # Of Vulns By Products References(0) Metasploit Modules(0)	Comments View User Comments Add Comment	External Links Secunia Advisories XForce Advisories Vulnerability Details at NVD Vulnerability Details at Mitre Nessus Plugins Linux Kernel Git Repository First CVSS Guide
Search Twitter Search YouTube Search Google

- CVSS Scores & Vulnerability Types

CVSS Score	7.5
Confidentiality Impact	Partial (There is considerable informational disclosure.)
Integrity Impact	Partial (Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Availability Impact	Partial (There is reduced performance or interruptions in resource availability.)
Access Complexity	Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication	Not required (Authentication is not required to exploit the vulnerability.)
Gained Access	None
Vulnerability Type(s)	Overflow
CWE ID	787

- Products Affected By CVE-2021-26691

#	Product Type	Vendor	Product	Version	Update	Edition	Language
1	Application	Apache	Http Server	*	*	*	*	Version Details Vulnerabilities
2	OS	Debian	Debian Linux	9.0	*	*	*	Version Details Vulnerabilities
3	OS	Debian	Debian Linux	10.0	*	*	*	Version Details Vulnerabilities

- Number Of Affected Versions By Product

Vendor	Product	Vulnerable Versions
Apache	Http Server	1
Debian	Debian Linux	2

- References For CVE-2021-26691

https://security.netapp.com/advisory/ntap-20210702-0001/ CONFIRM

https://lists.debian.org/debian-lts-announce/2021/07/msg00006.html
MLIST [debian-lts-announce] 20210709 [SECURITY] [DLA 2706-1] apache2 security update

https://www.debian.org/security/2021/dsa-4937
DEBIAN DSA-4937

https://security.gentoo.org/glsa/202107-38
GENTOO GLSA-202107-38

https://lists.fedoraproject.org/archives/list/[email protected]/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
FEDORA FEDORA-2021-dce7e7738e

http://www.openwall.com/lists/oss-security/2021/06/10/7
MLIST [oss-security] 20210609 CVE-2021-26691: Apache httpd: mod_session response handling heap overflow

https://lists.apache.org/thread.html/[email protected]%3Cdev.httpd.apache.org%3E
MLIST [httpd-dev] 20210610 Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json

https://lists.apache.org/thread.html/[email protected]%3Cannounce.httpd.apache.org%3E
MLIST [httpd-announce] 20210609 CVE-2021-26691: mod_session response handling heap overflow

http://httpd.apache.org/security/vulnerabilities_24.html
CONFIRM N/A

https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62d8c43cba8d0bf3%40%3Ccvs.httpd.apache.org%3E
CONFIRM N/A

- Metasploit Modules Related To CVE-2021-26691

There are not any metasploit modules related to this CVE entry (Please visit www.metasploit.com for more information)