// For flags

CVE-2021-39275

ap_escape_quotes buffer overflow

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

la función ap_escape_quotes() puede escribir más allá del final de un buffer cuando se le da una entrada maliciosa. Ningún módulo incluido pasa datos no confiables a estas funciones, pero los módulos externos o de terceros pueden hacerlo. Este problema afecta a Apache HTTP Server versiones 2.4.48 y anteriores

An out-of-bounds write in function ap_escape_quotes of httpd allows an unauthenticated remote attacker to crash the server or potentially execute code on the system with the privileges of the httpd user, by providing malicious input to the function.

USN-5090-1 fixed vulnerabilities in Apache HTTP Server. One of the upstream fixes introduced a regression in UDS URIs. This update fixes the problem. James Kettle discovered that the Apache HTTP Server HTTP/2 module incorrectly handled certain crafted methods. A remote attacker could possibly use this issue to perform request splitting or cache poisoning attacks. It was discovered that the Apache HTTP Server incorrectly handled certain malformed requests. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly handled certain request uri-paths. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04. It was discovered that the Apache HTTP Server incorrectly handled escaping quotes. If the server was configured with third-party modules, a remote attacker could use this issue to cause the server to crash, resulting in a denial of service, or possibly execute arbitrary code. It was discovered that the Apache mod_proxy module incorrectly handled certain request uri-paths. A remote attacker could possibly use this issue to cause the server to forward requests to arbitrary origin servers. Various other issues were also addressed.

*Credits: ClusterFuzz
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-08-18 CVE Reserved
  • 2021-09-16 CVE Published
  • 2024-08-04 CVE Updated
  • 2025-05-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-787: Out-of-bounds Write
CAPEC
References (17)
URL Tag Source
https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf Third Party Advisory
https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E Mailing List
https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html Mailing List
https://security.netapp.com/advisory/ntap-20211008-0004 Third Party Advisory
URL Date SRC
URL Date SRC
https://www.oracle.com/security-alerts/cpuapr2022.html 2023-11-07
https://www.oracle.com/security-alerts/cpujan2022.html 2023-11-07
URL Date SRC
https://httpd.apache.org/security/vulnerabilities_24.html 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R 2023-11-07
https://security.gentoo.org/glsa/202208-20 2023-11-07
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ 2023-11-07
https://www.debian.org/security/2021/dsa-4982 2023-11-07
https://access.redhat.com/security/cve/CVE-2021-39275 2022-10-26
https://bugzilla.redhat.com/show_bug.cgi?id=2005119 2022-10-26
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
 Http Server
Search vendor "Apache" for product "Http Server"
 <= 2.4.48
Search vendor "Apache" for product "Http Server" and version " <= 2.4.48"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 11.0
Search vendor "Debian" for product "Debian Linux" and version "11.0"
-
Affected
Netapp
Search vendor "Netapp"
 Cloud Backup
Search vendor "Netapp" for product "Cloud Backup"
--
Affected
Netapp
Search vendor "Netapp"
 Clustered Data Ontap
Search vendor "Netapp" for product "Clustered Data Ontap"
--
Affected
Netapp
Search vendor "Netapp"
 Storagegrid
Search vendor "Netapp" for product "Storagegrid"
--
Affected
Oracle
Search vendor "Oracle"
 Http Server
Search vendor "Oracle" for product "Http Server"
 12.2.1.3.0
Search vendor "Oracle" for product "Http Server" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
 Http Server
Search vendor "Oracle" for product "Http Server"
 12.2.1.4.0
Search vendor "Oracle" for product "Http Server" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
 Instantis Enterprisetrack
Search vendor "Oracle" for product "Instantis Enterprisetrack"
 17.1
Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.1"
-
Affected
Oracle
Search vendor "Oracle"
 Instantis Enterprisetrack
Search vendor "Oracle" for product "Instantis Enterprisetrack"
 17.2
Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.2"
-
Affected
Oracle
Search vendor "Oracle"
 Instantis Enterprisetrack
Search vendor "Oracle" for product "Instantis Enterprisetrack"
 17.3
Search vendor "Oracle" for product "Instantis Enterprisetrack" and version "17.3"
-
Affected
Oracle
Search vendor "Oracle"
 Zfs Storage Appliance Kit
Search vendor "Oracle" for product "Zfs Storage Appliance Kit"
 8.8
Search vendor "Oracle" for product "Zfs Storage Appliance Kit" and version "8.8"
-
Affected
Siemens
Search vendor "Siemens"
 Sinec Nms
Search vendor "Siemens" for product "Sinec Nms"
*-
Affected
Siemens
Search vendor "Siemens"
 Sinema Server
Search vendor "Siemens" for product "Sinema Server"
 14.0
Search vendor "Siemens" for product "Sinema Server" and version "14.0"
-
Affected