Apache CVE-2006-20001 / CVE-2022-36760 / CVE-2022-37436

[Josh Levitsky]

As you may be aware, Apache recently released version 2.4.55 to address three vulnerabilities (https://httpd.apache.org/security/vulnerabilities_24.html). Our development team has reviewed all three (CVE-2006-20001/CVE-2022-36760/CVE-2022-37436) and found that FileWave is not vulnerable to any of them. Two of the modules are not used and the third module exploit is not relevant for our implementation. 

We plan to incorporate Apache version 2.4.55 or later in the next possible release, however, due to FileWave 14.10.0 currently going through QA, we have determined that it is not necessary to derail its release for a vulnerability that cannot be executed. If Apache releases further information about this or any additional vulnerabilities, we will continue to evaluate our position.