Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
The vulnerability consists of referencing a memory area that has already been freed (use-after-free, CWE-416), in the context of processing mod_ldap configuration at the directory level. This error can lead to memory corruption in the HTTP server process. An attacker can potentially exploit this mechanism remotely over the network, without needing to possess privileges or user interaction, which reflects the CVSS vector AV:N/AC:L/PR:N/UI:N.
Successful exploitation of the vulnerability may lead to disclosure of sensitive data, modification of data or server resources, as well as complete loss of service availability — in all three dimensions the impact assessment is HIGH according to the CVSS vector.
Apache HTTP Server must be updated immediately to version 2.4.68, which contains a patch eliminating the described vulnerability. Details are available on the vendor's website: https://httpd.apache.org/security/vulnerabilities_24.html
Apache HTTP Server in versions from 2.4.0 to 2.4.67 (inclusive) with mod_ldap module enabled and configuration applied at the directory level.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache HTTP Server
APPApache2.4.0 – 2.4.68 (bez)
Related vulnerabilities
Apache HTTP Server mod_rewrite — ujawnienie kodu i RCE poprzez błędne escapowanie
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could ...
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a ...
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remot...
Apache HTTP Server mod_dav_fs — manipulacja bazą właściwości DAV i crash procesów