CVE-2021-30641 — MEDIUM (5.3)

Q: What is CVE-2021-30641?

CVE-2021-30641 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

Q: How severe is CVE-2021-30641?

CVE-2021-30641 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-30641?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Fedoraproject Fedora, Oracle Enterprise Manager Ops Center, Oracle Instantis Enterprisetrack.

Vulnerability Description

Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Http Server	>= 2.4.39, <= 2.4.46
Debian	Debian Linux	9.0
Fedoraproject	Fedora	34
Oracle	Enterprise Manager Ops Center	12.4.0.0
Oracle	Instantis Enterprisetrack	17.1
Oracle	Zfs Storage Appliance Kit	8.8

References

http://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
http://www.openwall.com/lists/oss-security/2021/06/10/8Mailing ListThird Party Advisory
https://lists.apache.org/thread.html/r2b4773944d83d2799de9fbaeee7fe0f3fd72669467
https://lists.apache.org/thread.html/r7f2b70b621651548f4b6f027552f1dd91705d7111b
https://lists.apache.org/thread.html/re026d3da9d7824bd93b9f871c0fdda978d960c7e62Mailing ListRelease NotesVendor Advisory
https://lists.debian.org/debian-lts-announce/2021/07/msg00006.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202107-38Third Party Advisory
https://security.netapp.com/advisory/ntap-20210702-0001/Third Party Advisory
https://www.debian.org/security/2021/dsa-4937Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
http://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
http://www.openwall.com/lists/oss-security/2021/06/10/8Mailing ListThird Party Advisory
https://lists.apache.org/thread.html/r2b4773944d83d2799de9fbaeee7fe0f3fd72669467

FAQ

What is CVE-2021-30641?

CVE-2021-30641 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

How severe is CVE-2021-30641?

CVE-2021-30641 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-30641?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Fedoraproject Fedora, Oracle Enterprise Manager Ops Center, Oracle Instantis Enterprisetrack.