Alpine: multiple apache2 packages: security update to 2.4.48-r0

critical Tenable Cloud Security Plugin ID 423655

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server
could cause a heap overflow (CVE-2021-26691)

- An Uncontrolled Resource Consumption vulnerability in Fortinet FortiSwitch below 3.6.11, 6.0.6 and 6.2.2,
FortiAnalyzer below 6.2.3, FortiManager below 6.2.3 and FortiAP-S/W2 below 6.2.2 may allow an attacker to
cause admin webUI denial of service (DoS) via handling special crafted HTTP requests/responses in pieces
slowly, as demonstrated by Slow HTTP DoS Attacks. (CVE-2019-17657)

- Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows
(CVE-2020-13938)

- Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer
dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers,
leading to a Denial of Service (CVE-2020-13950)

- Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in
mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team
could create one, though some particular compiler and/or compilation option might make it possible, with
limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow
(CVE-2020-35452)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-17657

https://security.alpinelinux.org/vuln/CVE-2020-13938

https://security.alpinelinux.org/vuln/CVE-2020-13950

https://security.alpinelinux.org/vuln/CVE-2020-35452

https://security.alpinelinux.org/vuln/CVE-2021-26690

https://security.alpinelinux.org/vuln/CVE-2021-26691

https://security.alpinelinux.org/vuln/CVE-2021-30641

https://security.alpinelinux.org/vuln/CVE-2021-31618

Plugin Details

Severity: Critical

ID: 423655

Version: Revision 1.7

Type: Local

Published: 4/4/2025

Updated: 5/30/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.75

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-26691

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2/3/2020

Reference Information

CVE: CVE-2019-17657, CVE-2020-13938, CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641, CVE-2021-31618

IAVA: 2021-A-0259-S