Alpine: multiple apache2 packages: security update to 2.2.21-r0 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 401304

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x
through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1)
RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows
remote attackers to send requests to intranet servers via a malformed URI containing an @ (at sign)
character and a : (colon) character in invalid positions. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2011-3368. (CVE-2011-4317)

See Also

https://git.alpinelinux.org/aports/commit/?id=626d0dde97b9a73e295e7fd556b7c575ee7cbddd

https://git.alpinelinux.org/aports/commit/?id=9f987f8ab1533bc6cdb29f36f144101bae980efe

Plugin Details

Severity: High

ID: 401304

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2011-4317

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/28/2011

Vulnerability Publication Date: 10/5/2011

Reference Information

CVE: CVE-2011-4317

BID: 50802

IAVA: 2012-A-0017-S