Alpine: multiple apache2 packages: security update to 2.4.67-r0

high Tenable Cloud Security Plugin ID 441153

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess
authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version
2.4.67, which fixes this issue. (CVE-2026-24072)

- Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue
affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the
issue. (CVE-2026-23918)

- Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects
to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause
it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache
HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
(CVE-2026-28780)

- Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP
response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to
upgrade to version 2.4.67, which fixes the issue. (CVE-2026-29168)

Solution

Update the apache2 library and its related packages to version 2.4.67-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-23918

https://security.alpinelinux.org/vuln/CVE-2026-24072

https://security.alpinelinux.org/vuln/CVE-2026-28780

https://security.alpinelinux.org/vuln/CVE-2026-29168

https://security.alpinelinux.org/vuln/CVE-2026-29169

https://security.alpinelinux.org/vuln/CVE-2026-33006

https://security.alpinelinux.org/vuln/CVE-2026-33007

https://security.alpinelinux.org/vuln/CVE-2026-33523

https://security.alpinelinux.org/vuln/CVE-2026-33857

https://security.alpinelinux.org/vuln/CVE-2026-34032

https://security.alpinelinux.org/vuln/CVE-2026-34059

Plugin Details

Severity: High

ID: 441153

Version: Revision 1.6

Type: Local

Published: 5/5/2026

Updated: 6/30/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.7

Percentile: 99.07

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-24072

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/4/2026

Reference Information

CVE: CVE-2026-23918, CVE-2026-24072, CVE-2026-28780, CVE-2026-29168, CVE-2026-29169, CVE-2026-33006, CVE-2026-33007, CVE-2026-33523, CVE-2026-33857, CVE-2026-34032, CVE-2026-34059