Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN844
_____________________________________________________________________

DATE                : 11/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache HTTP Server versions prior
                                    to 2.4.66.

=====================================================================
https://lists.apache.org/thread/qsqgjfh3opl1zyqvky8wxpdhctkgc0s5
https://lists.apache.org/thread/4xbrxoylw1d6ymj9ptbqdhhtv629jddt
https://lists.apache.org/thread/6q07f57b8cjzt051rk2v4nqokm8rgm42
https://lists.apache.org/thread/1vygt5ztr7vqgtv9zclnln7mbwng6xzs
https://lists.apache.org/thread/w3no61r33ys2vytk2whkfy3owjtdw25c
_____________________________________________________________________


CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec bypass via
AllowOverride FileInfo
Severity: moderate 

Affected versions:

- Apache HTTP Server 2.4.7 through 2..4.65

Description:

mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in
Apache HTTP Server. Users with access to use the RequestHeader
directive in htaccess can cause some CGI scripts to run under an
unexpected userid.

This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65.

Users are recommended to upgrade to version 2.4.66, which fixes the
issue.


Credit:

Mattias Åsander (Umeå University) (finder)


References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-66200

Timeline:

2025-11-19: reported
2025-12-01: fixed in 2.4.x by r1930168

_____________________________________________________________________

CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through
UNC SSRF

Severity: moderate 

Affected versions:

- Apache HTTP Server 2.4.0 through 2.4.65

Description:

Server-Side Request Forgery (SSRF) vulnerability 

 in Apache HTTP Server on Windows 

with AllowEncodedSlashes On and MergeSlashes Off  allows to potentially
leak NTLM hashes to a malicious server via SSRF and malicious requests
or content

Users are recommended to upgrade to version 2.4.66, which fixes the
issue.

Credit:

Orange Tsai (@orange_8361) from DEVCORE (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-59775

Timeline:

2025-09-10: reported
2025-12-01: fixed in 2.4.x by r1930166
_____________________________________________________________________

CVE-2025-58098: Apache HTTP Server: Server Side Includes adds query
string to #exec cmd=...
Severity: low 

Affected versions:

- Apache HTTP Server before 2.4.66

Description:

Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI)
enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query
string to #exec cmd="..." directives.

This issue affects Apache HTTP Server before 2.4.66.

Users are recommended to upgrade to version 2.4.66, which fixes the
issue.

Credit:

Anthony Parfenov (United Rentals, Inc.) (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-58098

Timeline:

2025-08-21: Reported to security team
2025-12-01: fixed in 2.4.x by r1930165

_____________________________________________________________________

CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry
intervals
Severity: low 

Affected versions:

- Apache HTTP Server 2.4.30 before 2.4.66

Description:

An integer overflow in the case of failed ACME certificate renewal
leads, after a number of failures (~30 days in default configurations),
to the backoff timer becoming 0. Attempts to renew the certificate
then are repeated without delays until it succeeds.

This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.


Users are recommended to upgrade to version 2.4.66, which fixes the
issue.

Credit:

Aisle Research (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-55753

Timeline:

2025-08-15: reported
2025-11-20: fixed by r1929884 in 2.4.x
_____________________________________________________________________

CVE-2025-65082: Apache HTTP Server: CGI environment variable override
Severity: low 

Affected versions:

- Apache HTTP Server 2.4.0 through 2.4.65

Description:

Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability in Apache HTTP Server through environment variables
set via the Apache configuration unexpectedly superseding variables
calculated by the server for CGI programs.

This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.

Users are recommended to upgrade to version 2.4.66 which fixes the
issue.

Credit:

Mattias Åsander (Umeå University) (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html`
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-65082

Timeline:

2025-11-14: reported
2025-12-01: fixed in 2.4.x by r1930167


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================