Search
Find a vulnerability
Search criteria
8 vulnerabilities found for Apache Portable Runtime (APR) by Apache Software Foundation
CVE-2023-49582 (GCVE-0-2023-49582)
Vulnerability from nvd – Published: 2024-08-26 14:03 – Updated: 2025-03-13 14:25
VLAI
Title
Apache Portable Runtime (APR): Unexpected lax shared memory permissions
Summary
Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data.
This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h)
Users are recommended to upgrade to APR version 1.7.5, which fixes this issue.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Portable Runtime (APR) |
Affected:
0.9.0 , ≤ 1.7.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-49582",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T17:39:05.591843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T14:25:56.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-01T17:03:02.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/26/1"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241101-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Portable Runtime (APR)",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.7.4",
"status": "affected",
"version": "0.9.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Thomas Stangner"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. \u003cbr\u003e\u003cbr\u003eThis issue does not affect non-Unix platforms, or builds with\u0026nbsp;APR_USE_SHMEM_SHMGET=1 (apr.h)\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to APR version 1.7.5, which fixes this issue."
}
],
"value": "Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. \n\nThis issue does not affect non-Unix platforms, or builds with\u00a0APR_USE_SHMEM_SHMGET=1 (apr.h)\n\nUsers are recommended to upgrade to APR version 1.7.5, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T14:03:44.588Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/sntjc04t1rvjhdzz2tzmtz2zdnmv7dc4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2023-02-08T22:06:00.000Z",
"value": "Discussion on public mailing list https://lists.apache.org/thread/h5f1c2dqm8bf5yfosw3rg85927p612l0"
},
{
"lang": "en",
"time": "2023-11-15T16:21:00.000Z",
"value": "Reported to security team"
},
{
"lang": "en",
"time": "2024-08-20T17:40:00.000Z",
"value": "fixed by r1920083 in 1.7.x. r1920062 is encouraged for functional reasons."
}
],
"title": "Apache Portable Runtime (APR): Unexpected lax shared memory permissions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-49582",
"datePublished": "2024-08-26T14:03:44.588Z",
"dateReserved": "2023-11-27T18:07:52.860Z",
"dateUpdated": "2025-03-13T14:25:56.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28331 (GCVE-0-2022-28331)
Vulnerability from nvd – Published: 2023-01-31 15:55 – Updated: 2025-03-27 14:31
VLAI
Title
Apache Portable Runtime (APR): Windows out-of-bounds write in apr_socket_sendv function
Summary
On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/5pfdfn7h0vsdo5xzj… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Portable Runtime (APR) |
Affected:
0 , ≤ 1.7.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:56:14.939Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/5pfdfn7h0vsdo5xzjn97vghp0x42jj2r"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-28331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T14:31:25.841968Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:31:30.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Portable Runtime (APR)",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ronald Crane (Zippenhop LLC)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow."
}
],
"value": "On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-07T15:26:44.884Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5pfdfn7h0vsdo5xzjn97vghp0x42jj2r"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Portable Runtime (APR): Windows out-of-bounds write in apr_socket_sendv function",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28331",
"datePublished": "2023-01-31T15:55:21.488Z",
"dateReserved": "2022-04-01T12:46:04.617Z",
"dateUpdated": "2025-03-27T14:31:30.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24963 (GCVE-0-2022-24963)
Vulnerability from nvd – Published: 2023-01-31 15:52 – Updated: 2025-03-27 14:33
VLAI
Title
Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions
Summary
Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.
This issue affects Apache Portable Runtime (APR) version 1.7.0.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/fw9p6sdncwsjkstwc… | vendor-advisory |
| https://security.netapp.com/advisory/ntap-2023090… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Portable Runtime (APR) |
Affected:
1.7.0
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.595Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230908-0008/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-24963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T14:33:34.281533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:33:39.826Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Portable Runtime (APR)",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.7.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ronald Crane (Zippenhop LLC)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\u003cbr\u003eThis issue affects Apache Portable Runtime (APR) version 1.7.0."
}
],
"value": "Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\nThis issue affects Apache Portable Runtime (APR) version 1.7.0."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-08T16:06:38.212Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230908-0008/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-24963",
"datePublished": "2023-01-31T15:52:09.716Z",
"dateReserved": "2022-02-11T12:49:56.769Z",
"dateUpdated": "2025-03-27T14:33:39.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35940 (GCVE-0-2021-35940)
Vulnerability from nvd – Published: 2021-08-23 10:00 – Updated: 2024-08-04 00:40
VLAI
Title
Regression of CVE-2017-12613
Summary
An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.
Severity
No CVSS data available.
CWE
- APR apr_time_exp* out of bounds array dereference
Assigner
References
16 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Portable Runtime (APR) |
Affected:
Apache Portable Runtime 1.7.0
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:40:47.582Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1891198"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[oss-security] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/08/23/1"
},
{
"name": "[announce] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b%40%3Cannounce.apache.org%3E"
},
{
"name": "[apr-dev] 20210831 APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[httpd-dev] 20210831 APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b%40%3Cdev.httpd.apache.org%3E"
},
{
"name": "[apr-dev] 20210831 Re: APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r72a069753b9363c29732e59ad8f0d22a633fb6a699980407511ac961%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210901 Re: APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r317c398ee5736e627f7887b06607e5c58b45a696d352ba8c14615f55%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210916 Re: CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Created] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r72479f4dcffaa8a4732d5a0e87fecc4bace4932e28fc26f7d400e2b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Resolved] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r54c755c74b9e3846cfd84039b1967d37d2870750a02d7c603983f6ed%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Commented] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rafe54755850e93de287c36540972457b2dd86332106aa7817c7c27fb%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Reopened] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1c788464a25fbc046a72aff451bc8186386315d92a2dd0349903fa4f%40%3Cdev.tomcat.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Portable Runtime (APR)",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Portable Runtime 1.7.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The Apache Portable Runtime project would like to thank Iveta Cesalova (Red Hat) for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "APR apr_time_exp* out of bounds array dereference",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:30:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1891198"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[oss-security] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/08/23/1"
},
{
"name": "[announce] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b%40%3Cannounce.apache.org%3E"
},
{
"name": "[apr-dev] 20210831 APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[httpd-dev] 20210831 APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b%40%3Cdev.httpd.apache.org%3E"
},
{
"name": "[apr-dev] 20210831 Re: APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r72a069753b9363c29732e59ad8f0d22a633fb6a699980407511ac961%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210901 Re: APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r317c398ee5736e627f7887b06607e5c58b45a696d352ba8c14615f55%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210916 Re: CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Created] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r72479f4dcffaa8a4732d5a0e87fecc4bace4932e28fc26f7d400e2b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Resolved] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r54c755c74b9e3846cfd84039b1967d37d2870750a02d7c603983f6ed%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Commented] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rafe54755850e93de287c36540972457b2dd86332106aa7817c7c27fb%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Reopened] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1c788464a25fbc046a72aff451bc8186386315d92a2dd0349903fa4f%40%3Cdev.tomcat.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Regression of CVE-2017-12613",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-35940",
"STATE": "PUBLIC",
"TITLE": "Regression of CVE-2017-12613"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Portable Runtime (APR)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Apache Portable Runtime",
"version_value": "1.7.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "The Apache Portable Runtime project would like to thank Iveta Cesalova (Red Hat) for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "APR apr_time_exp* out of bounds array dereference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://svn.apache.org/viewvc?view=revision\u0026revision=1891198",
"refsource": "MISC",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1891198"
},
{
"name": "http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw@mail.gmail.com%3E",
"refsource": "MISC",
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw@mail.gmail.com%3E"
},
{
"name": "https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch",
"refsource": "MISC",
"url": "https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch"
},
{
"name": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e@%3Cdev.apr.apache.org%3E"
},
{
"name": "[oss-security] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/08/23/1"
},
{
"name": "[announce] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b@%3Cannounce.apache.org%3E"
},
{
"name": "[apr-dev] 20210831 APR 1.7.1 release?",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b@%3Cdev.apr.apache.org%3E"
},
{
"name": "[httpd-dev] 20210831 APR 1.7.1 release?",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b@%3Cdev.httpd.apache.org%3E"
},
{
"name": "[apr-dev] 20210831 Re: APR 1.7.1 release?",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r72a069753b9363c29732e59ad8f0d22a633fb6a699980407511ac961@%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210901 Re: APR 1.7.1 release?",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r317c398ee5736e627f7887b06607e5c58b45a696d352ba8c14615f55@%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210916 Re: CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8@%3Cdev.apr.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Created] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r72479f4dcffaa8a4732d5a0e87fecc4bace4932e28fc26f7d400e2b3@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Resolved] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r54c755c74b9e3846cfd84039b1967d37d2870750a02d7c603983f6ed@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Commented] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rafe54755850e93de287c36540972457b2dd86332106aa7817c7c27fb@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Reopened] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1c788464a25fbc046a72aff451bc8186386315d92a2dd0349903fa4f@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-35940",
"datePublished": "2021-08-23T10:00:10.000Z",
"dateReserved": "2021-06-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T00:40:47.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49582 (GCVE-0-2023-49582)
Vulnerability from cvelistv5 – Published: 2024-08-26 14:03 – Updated: 2025-03-13 14:25
VLAI
Title
Apache Portable Runtime (APR): Unexpected lax shared memory permissions
Summary
Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data.
This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h)
Users are recommended to upgrade to APR version 1.7.5, which fixes this issue.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Portable Runtime (APR) |
Affected:
0.9.0 , ≤ 1.7.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-49582",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T17:39:05.591843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T14:25:56.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-11-01T17:03:02.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/26/1"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241101-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Portable Runtime (APR)",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.7.4",
"status": "affected",
"version": "0.9.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Thomas Stangner"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. \u003cbr\u003e\u003cbr\u003eThis issue does not affect non-Unix platforms, or builds with\u0026nbsp;APR_USE_SHMEM_SHMGET=1 (apr.h)\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to APR version 1.7.5, which fixes this issue."
}
],
"value": "Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. \n\nThis issue does not affect non-Unix platforms, or builds with\u00a0APR_USE_SHMEM_SHMGET=1 (apr.h)\n\nUsers are recommended to upgrade to APR version 1.7.5, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T14:03:44.588Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/sntjc04t1rvjhdzz2tzmtz2zdnmv7dc4"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2023-02-08T22:06:00.000Z",
"value": "Discussion on public mailing list https://lists.apache.org/thread/h5f1c2dqm8bf5yfosw3rg85927p612l0"
},
{
"lang": "en",
"time": "2023-11-15T16:21:00.000Z",
"value": "Reported to security team"
},
{
"lang": "en",
"time": "2024-08-20T17:40:00.000Z",
"value": "fixed by r1920083 in 1.7.x. r1920062 is encouraged for functional reasons."
}
],
"title": "Apache Portable Runtime (APR): Unexpected lax shared memory permissions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-49582",
"datePublished": "2024-08-26T14:03:44.588Z",
"dateReserved": "2023-11-27T18:07:52.860Z",
"dateUpdated": "2025-03-13T14:25:56.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28331 (GCVE-0-2022-28331)
Vulnerability from cvelistv5 – Published: 2023-01-31 15:55 – Updated: 2025-03-27 14:31
VLAI
Title
Apache Portable Runtime (APR): Windows out-of-bounds write in apr_socket_sendv function
Summary
On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/5pfdfn7h0vsdo5xzj… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Portable Runtime (APR) |
Affected:
0 , ≤ 1.7.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:56:14.939Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/5pfdfn7h0vsdo5xzjn97vghp0x42jj2r"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-28331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T14:31:25.841968Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:31:30.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Portable Runtime (APR)",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ronald Crane (Zippenhop LLC)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow."
}
],
"value": "On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-07T15:26:44.884Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5pfdfn7h0vsdo5xzjn97vghp0x42jj2r"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Portable Runtime (APR): Windows out-of-bounds write in apr_socket_sendv function",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28331",
"datePublished": "2023-01-31T15:55:21.488Z",
"dateReserved": "2022-04-01T12:46:04.617Z",
"dateUpdated": "2025-03-27T14:31:30.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24963 (GCVE-0-2022-24963)
Vulnerability from cvelistv5 – Published: 2023-01-31 15:52 – Updated: 2025-03-27 14:33
VLAI
Title
Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions
Summary
Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.
This issue affects Apache Portable Runtime (APR) version 1.7.0.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/fw9p6sdncwsjkstwc… | vendor-advisory |
| https://security.netapp.com/advisory/ntap-2023090… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Portable Runtime (APR) |
Affected:
1.7.0
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.595Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230908-0008/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-24963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T14:33:34.281533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:33:39.826Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Portable Runtime (APR)",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.7.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ronald Crane (Zippenhop LLC)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\u003cbr\u003eThis issue affects Apache Portable Runtime (APR) version 1.7.0."
}
],
"value": "Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.\nThis issue affects Apache Portable Runtime (APR) version 1.7.0."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-08T16:06:38.212Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/fw9p6sdncwsjkstwc066vz57xqzfksq9"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230908-0008/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-24963",
"datePublished": "2023-01-31T15:52:09.716Z",
"dateReserved": "2022-02-11T12:49:56.769Z",
"dateUpdated": "2025-03-27T14:33:39.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35940 (GCVE-0-2021-35940)
Vulnerability from cvelistv5 – Published: 2021-08-23 10:00 – Updated: 2024-08-04 00:40
VLAI
Title
Regression of CVE-2017-12613
Summary
An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.
Severity
No CVSS data available.
CWE
- APR apr_time_exp* out of bounds array dereference
Assigner
References
16 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Portable Runtime (APR) |
Affected:
Apache Portable Runtime 1.7.0
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:40:47.582Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1891198"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[oss-security] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/08/23/1"
},
{
"name": "[announce] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b%40%3Cannounce.apache.org%3E"
},
{
"name": "[apr-dev] 20210831 APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[httpd-dev] 20210831 APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b%40%3Cdev.httpd.apache.org%3E"
},
{
"name": "[apr-dev] 20210831 Re: APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r72a069753b9363c29732e59ad8f0d22a633fb6a699980407511ac961%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210901 Re: APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r317c398ee5736e627f7887b06607e5c58b45a696d352ba8c14615f55%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210916 Re: CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Created] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r72479f4dcffaa8a4732d5a0e87fecc4bace4932e28fc26f7d400e2b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Resolved] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r54c755c74b9e3846cfd84039b1967d37d2870750a02d7c603983f6ed%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Commented] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rafe54755850e93de287c36540972457b2dd86332106aa7817c7c27fb%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Reopened] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1c788464a25fbc046a72aff451bc8186386315d92a2dd0349903fa4f%40%3Cdev.tomcat.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Portable Runtime (APR)",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache Portable Runtime 1.7.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The Apache Portable Runtime project would like to thank Iveta Cesalova (Red Hat) for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "APR apr_time_exp* out of bounds array dereference",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:30:01.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1891198"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[oss-security] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/08/23/1"
},
{
"name": "[announce] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b%40%3Cannounce.apache.org%3E"
},
{
"name": "[apr-dev] 20210831 APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[httpd-dev] 20210831 APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b%40%3Cdev.httpd.apache.org%3E"
},
{
"name": "[apr-dev] 20210831 Re: APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r72a069753b9363c29732e59ad8f0d22a633fb6a699980407511ac961%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210901 Re: APR 1.7.1 release?",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r317c398ee5736e627f7887b06607e5c58b45a696d352ba8c14615f55%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210916 Re: CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Created] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r72479f4dcffaa8a4732d5a0e87fecc4bace4932e28fc26f7d400e2b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Resolved] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r54c755c74b9e3846cfd84039b1967d37d2870750a02d7c603983f6ed%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Commented] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rafe54755850e93de287c36540972457b2dd86332106aa7817c7c27fb%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Reopened] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1c788464a25fbc046a72aff451bc8186386315d92a2dd0349903fa4f%40%3Cdev.tomcat.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Regression of CVE-2017-12613",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-35940",
"STATE": "PUBLIC",
"TITLE": "Regression of CVE-2017-12613"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Portable Runtime (APR)",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "Apache Portable Runtime",
"version_value": "1.7.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "The Apache Portable Runtime project would like to thank Iveta Cesalova (Red Hat) for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "APR apr_time_exp* out of bounds array dereference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://svn.apache.org/viewvc?view=revision\u0026revision=1891198",
"refsource": "MISC",
"url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1891198"
},
{
"name": "http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw@mail.gmail.com%3E",
"refsource": "MISC",
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw@mail.gmail.com%3E"
},
{
"name": "https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch",
"refsource": "MISC",
"url": "https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch"
},
{
"name": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e@%3Cdev.apr.apache.org%3E"
},
{
"name": "[oss-security] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/08/23/1"
},
{
"name": "[announce] 20210823 CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b@%3Cannounce.apache.org%3E"
},
{
"name": "[apr-dev] 20210831 APR 1.7.1 release?",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b@%3Cdev.apr.apache.org%3E"
},
{
"name": "[httpd-dev] 20210831 APR 1.7.1 release?",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b@%3Cdev.httpd.apache.org%3E"
},
{
"name": "[apr-dev] 20210831 Re: APR 1.7.1 release?",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r72a069753b9363c29732e59ad8f0d22a633fb6a699980407511ac961@%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210901 Re: APR 1.7.1 release?",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r317c398ee5736e627f7887b06607e5c58b45a696d352ba8c14615f55@%3Cdev.apr.apache.org%3E"
},
{
"name": "[apr-dev] 20210916 Re: CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8@%3Cdev.apr.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Created] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r72479f4dcffaa8a4732d5a0e87fecc4bace4932e28fc26f7d400e2b3@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Resolved] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r54c755c74b9e3846cfd84039b1967d37d2870750a02d7c603983f6ed@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Commented] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rafe54755850e93de287c36540972457b2dd86332106aa7817c7c27fb@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210922 [jira] [Reopened] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1c788464a25fbc046a72aff451bc8186386315d92a2dd0349903fa4f@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-35940",
"datePublished": "2021-08-23T10:00:10.000Z",
"dateReserved": "2021-06-29T00:00:00.000Z",
"dateUpdated": "2024-08-04T00:40:47.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}