Описание
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives.
This issue affects Apache HTTP Server before 2.4.66.
Users are recommended to upgrade to version 2.4.66, which fixes the issue.
Ссылки
- Mailing ListVendor Advisory
- Mailing ListThird Party Advisory
Уязвимые конфигурации
EPSS
8.3 High
CVSS3
Дефекты
Связанные уязвимости
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
Apache HTTP Server: Server Side Includes adds query string to #exec cmd=...
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) ...
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
Уязвимость модуля mod_cgid веб-сервера Apache HTTP Server, позволяющая нарушителю выполнить произвольный код
EPSS
8.3 High
CVSS3