Apache 2.4.x < 2.4.68 Multiple Vulnerabilities

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(319665);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/08");

  script_cve_id(
    "CVE-2026-29167",
    "CVE-2026-29170",
    "CVE-2026-34355",
    "CVE-2026-34356",
    "CVE-2026-42535",
    "CVE-2026-42536",
    "CVE-2026-43951",
    "CVE-2026-44119",
    "CVE-2026-44185",
    "CVE-2026-44186",
    "CVE-2026-44631",
    "CVE-2026-48913",
    "CVE-2026-49975"
  );

  script_name(english:"Apache 2.4.x < 2.4.68 Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Apache httpd installed on the remote host is prior to 2.4.68. It is, therefore, affected by multiple
vulnerabilities as referenced in the 2.4.68 advisory.

  - CVE-2026-49975, also known as HTTP/2 Bomb, is a remote denial-of-service exploit against most major web
    servers, including: nginx, Apache httpd, Microsoft IIS, Envoy, Cloudflare Pingor. The vulnerable behavior
    exists in each server's default HTTP/2 configuration (CVE-2026-49975)

  - mod_xml2enc heap overflow: Heap-based Buffer Overflow vulnerability in Apache HTTP Server with
    mod_xml2enc, xml2StartParse, and untrusted content This issue affects Apache HTTP Server: from 2.4.0
    through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
    Acknowledgements: finder: Zhenpeng (Leo) Lin at depthfirst (CVE-2026-42536)

  - OOB Read in `merge_response_headers` can cause crash: Out-of-bounds Read vulnerability in Apache HTTP
    Server with mod_headers and mod_mime and multiple response languages. This issue affects Apache HTTP
    Server: from 2.4.0 through 2.4.67. Acknowledgements: finder: Zhenpeng (Leo) Lin at depthfirst
    (CVE-2026-43951)

  - escalation of privilege through expressions in .htaccess in multiple modules: Improper Privilege
    Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read
    files with the privileges of the httpd user. This issue affects Apache HTTP Server: from through 2.4.67.
    Users are recommended to upgrade to version 2.4.68, which fixes the issue. Acknowledgements:
    (CVE-2026-44119)

  - Stack Buffer Over-Read in mod_ssl OCSP `send_request`: Buffer Over-read vulnerability in Apache HTTP
    Server via outbound OCSP requests to an attacker controlled OCSP server This issue affects Apache HTTP
    Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the
    issue. Acknowledgements: finder: Zhenpeng (Leo) Lin at depthfirst (CVE-2026-44185)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache version 2.4.68 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-49975");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/02/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/08");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:httpd");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:http_server");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("apache_http_version.nasl", "apache_http_server_nix_installed.nbin", "apache_httpd_win_installed.nbin");
  script_require_keys("installed_sw/Apache");

  exit(0);
}

include('vcf.inc');
include('vcf_extras.inc');

app_info = vcf::apache_http_server::combined_get_app_info(app:'Apache');

var constraints = [
  { 'min_version' : '2.4.0', 'max_version' : '2.4.67', 'fixed_version' : '2.4.68' }
];

vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE
);