* CVE json files for 2.4.49 added
diff --git a/.gitignore b/.gitignore
index c9c4464..806c99e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,4 @@
content/security/vulnerabilities-httpd.json
pelican.auto.py
site-generated
+.idea
diff --git a/content/security/json/CVE-2021-33193.json b/content/security/json/CVE-2021-33193.json
new file mode 100644
index 0000000..611cdba
--- /dev/null
+++ b/content/security/json/CVE-2021-33193.json
@@ -0,0 +1,102 @@
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2021-33193",
+ "STATE": "PUBLIC",
+ "TITLE": "Request splitting via HTTP/2 method injection and mod_proxy"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": ">=",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.17"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "Reported by James Kettle of PortSwigger"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning.\n\nThis issue affects Apache HTTP Server 2.4.17 to 2.4.48."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "moderate"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "Request Splitting"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM",
+ "url": "https://portswigger.net/research/http2"
+ },
+ {
+ "refsource": "CONFIRM",
+ "url": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c.patch"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2021-05-11",
+ "value": "reported"
+ },
+ {
+ "lang": "eng",
+ "time": "2021-08-06",
+ "value": "public"
+ },
+ {
+ "lang": "eng",
+ "time": "2021-09-16",
+ "value": "2.4.49 released"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/content/security/json/CVE-2021-34798.json b/content/security/json/CVE-2021-34798.json
new file mode 100644
index 0000000..15f1cb3
--- /dev/null
+++ b/content/security/json/CVE-2021-34798.json
@@ -0,0 +1,87 @@
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2021-34798",
+ "STATE": "READY",
+ "TITLE": "NULL pointer dereference in httpd core"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.48"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "The issue was discovered by the Apache HTTP security team"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Malformed requests may cause the server to dereference a NULL pointer.\n\n\nThis issue affects Apache HTTP Server 2.4.48 and earlier."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "moderate"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-476 NULL Pointer Dereference"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2021-09-16",
+ "value": "2.4.49 released"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/content/security/json/CVE-2021-36160.json b/content/security/json/CVE-2021-36160.json
new file mode 100644
index 0000000..735a35e
--- /dev/null
+++ b/content/security/json/CVE-2021-36160.json
@@ -0,0 +1,97 @@
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2021-36160",
+ "STATE": "READY",
+ "TITLE": "mod_proxy_uwsgi out of bound read"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.48"
+ },
+ {
+ "version_affected": "!<",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.30"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "LI ZHI XIN from NSFocus Security Team"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS).\n\nThis issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive)."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "moderate"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-125 out of bound read"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2021-04-26",
+ "value": "reported"
+ },
+ {
+ "lang": "eng",
+ "time": "2021-09-16",
+ "value": "2.4.49 release"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/content/security/json/CVE-2021-39275.json b/content/security/json/CVE-2021-39275.json
new file mode 100644
index 0000000..2568b89
--- /dev/null
+++ b/content/security/json/CVE-2021-39275.json
@@ -0,0 +1,87 @@
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2021-39275",
+ "STATE": "READY",
+ "TITLE": "ap_escape_quotes buffer overflow"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.48"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "ClusterFuzz"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "ap_escape_quotes() may write beyond the end of a buffer when given malicious input. \nNo included modules pass untrusted data to these functions, but third-party / external modules may.\n\nThis issue affects Apache HTTP Server 2.4.48 and earlier."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "low"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "Buffer Overflow"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2021-09-16",
+ "value": "2.4.49 released"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/content/security/json/CVE-2021-40438.json b/content/security/json/CVE-2021-40438.json
new file mode 100644
index 0000000..48bf025
--- /dev/null
+++ b/content/security/json/CVE-2021-40438.json
@@ -0,0 +1,87 @@
+{
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2021-40438",
+ "STATE": "READY",
+ "TITLE": "mod_proxy SSRF"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.48"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "The issue was discovered by the Apache HTTP security team while analysing CVE-2021-36160"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user.\n\nThis issue affects Apache HTTP Server 2.4.48 and earlier."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "high"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-918 Server Side Request Forgery (SSRF)"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2021-09-16",
+ "value": "2.4.49 released"
+ }
+ ]
+}
\ No newline at end of file
