{
  "threat_severity" : "Moderate",
  "public_date" : "2021-10-05T00:00:00Z",
  "bugzilla" : {
    "description" : "httpd: NULL pointer dereference via crafted request during HTTP/2 request processing",
    "id" : "2010934",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2010934"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project." ],
  "statement" : "This issue only affects Apache HTTP Server 2.4.49 and Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP9, earlier versions are not affected. Therefore this issue does not affect the other versions of Apache HTTP Server shipped with Red Hat products.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2022-10-26T00:00:00Z",
    "advisory" : "RHSA-2022:7143",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-httpd-0:2.4.51-28.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2022-10-26T00:00:00Z",
    "advisory" : "RHSA-2022:7143",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.51-28.el7jbcs"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2022-10-26T00:00:00Z",
    "advisory" : "RHSA-2022:7144",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "jbcs-httpd24-httpd"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "httpd:2.4/httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "httpd24-httpd",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-41524\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-41524\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2021-41524",
  "csaw" : false
}