Alpine: multiple apache2 packages: security update to 2.4.66-r0

high Tenable Cloud Security Plugin ID 436276

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30
days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then
are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before
2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue. (CVE-2025-55753)

- Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not
mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache
HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
(CVE-2025-58098)

- Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes
On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and
malicious requests or content Users are recommended to upgrade to version 2.4.66, which fixes the issue.
(CVE-2025-59775)

- Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through
environment variables set via the Apache configuration unexpectedly superseding variables calculated by
the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. Users are
recommended to upgrade to version 2.4.66 which fixes the issue. (CVE-2025-65082)

- mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with
access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an
unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. Users are recommended
to upgrade to version 2.4.66, which fixes the issue. (CVE-2025-66200)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-55753

https://security.alpinelinux.org/vuln/CVE-2025-58098

https://security.alpinelinux.org/vuln/CVE-2025-59775

https://security.alpinelinux.org/vuln/CVE-2025-65082

https://security.alpinelinux.org/vuln/CVE-2025-66200

Plugin Details

Severity: High

ID: 436276

Version: Revision 1.12

Type: Local

Published: 12/8/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.5

Percentile: 57.44

CVSS v2

Risk Factor: High

Base Score: 8.7

Temporal Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:P

CVSS Score Source: CVE-2025-58098

CVSS v3

Risk Factor: High

Base Score: 8.3

Temporal Score: 7.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 12/4/2025

Reference Information

CVE: CVE-2025-55753, CVE-2025-58098, CVE-2025-59775, CVE-2025-65082, CVE-2025-66200