According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.48. It is, therefore, affected by multiple vulnerabilities:
Unexpected <Location> section matching with ‘MergeSlashes OFF’. (CVE-2021-30641)
mod_auth_digest: possible stack overflow by one nul byte while validating the Digest nonce. (CVE-2020-35452)
mod_session: Fix possible crash due to NULL pointer dereference, which could be used to cause a Denial of Service with a malicious backend server and SessionHeader. (CVE-2021-26691)
mod_session: Fix possible crash due to NULL pointer dereference, which could be used to cause a Denial of Service. (CVE-2021-26690)
mod_proxy_http: Fix possible crash due to NULL pointer dereference, which could be used to cause a Denial of Service. (CVE-2020-13950)
Windows: Prevent local users from stopping the httpd process (CVE-2020-13938)
mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end negotiation. (CVE-2019-17567)
mod_http2: Fix a potential NULL pointer dereference. (CVE-2021-31618)
Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.
No source data
Vendor | Product | Version | CPE |
---|---|---|---|
apache | http_server | * | cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17567
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13938
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13950
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35452
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26690
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26691
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30641
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31618
archive.apache.org/dist/httpd/CHANGES_2.4.48
httpd.apache.org/security/vulnerabilities_24.html#2.4.48