Apache HTTP Server: mod_ssl access control bypass with session resumption

...

Ubuntu 22.04 LTS / 24.04 LTS / 25.04 : Apache HTTP Server vulnerabilities (USN-7639-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7639-1 advisory. It was discovered that the Apache HTTP Server incorrectly handled certain Content-Type response headers. A remote attacker could...

USN-7639-1: Apache HTTP Server vulnerabilities

It was discovered that the Apache HTTP Server incorrectly handled certain Content-Type response headers. A remote attacker could possibly use this issue to perform HTTP response splitting attacks. CVE-2024-42516 xiaojunjie discovered that the Apache HTTP Server modproxy module incorrectly handled...

K000152594: Apache HTTP server vulnerability CVE-2024-43394

Security Advisory Description Server-Side Request Forgery SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via modrewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63...

BIT-APACHE-2025-53020 Apache HTTP Server: HTTP/2 DoS by Memory Increase

Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue...

BIT-APACHE-2025-49812 Apache HTTP Server: mod_ssl TLS upgrade attack

In some modssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommend...

BIT-APACHE-2025-49630 Apache HTTP Server: mod_proxy_http2 denial of service

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in modproxyhttp2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with...

BIT-APACHE-2025-23048 Apache HTTP Server: mod_ssl access control bypass with session resumption

In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when modssl is configured for multiple virtual hosts, with each restricted to a different set of...

BIT-APACHE-2024-47252 Apache HTTP Server: mod_ssl error log variable escaping

Insufficient escaping of user-supplied data in modssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%varnamex" or "%varnamec" to log variables...

BIT-APACHE-2024-43394 Apache HTTP Server: SSRF on Windows due to UNC paths

Server-Side Request Forgery SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via modrewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server...

BIT-APACHE-2024-43204 Apache HTTP Server: SSRF with mod_headers setting Content-Type header

SSRF in Apache HTTP Server with modproxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where modheaders is configured to modify the Content-Type request or response header with a value provided in the HTTP request...

BIT-APACHE-2024-42516 Apache HTTP Server: HTTP response splitting

HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP...

PT-2025-29700 · Apache · Apache Http Server

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server affected versions not specified Description: The provided descriptions indicate a cross-site request forgery issue. The reason for rejection is stated as 'Not used'. Recommendations: At the moment, there is no information...

PT-2025-29699 · Apache · Apache Http Server

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server affected versions not specified Description: The reported issue is a Cross-Site Request Forgery. The reason for rejection is stated as 'Not used'. Recommendations: At the moment, there is no information about a newer versio...

PT-2025-29703 · Apache · Apache Http Server

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server affected versions not specified Description: The vulnerability is a cross-site request forgery. The reason for rejection is stated as 'Not used'. Recommendations: At the moment, there is no information about a newer version...

PT-2025-29701 · Apache · Apache Http Server

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server affected versions not specified Description: The Apache HTTP Server is susceptible to a Cross-Site Request Forgery. The reason for rejection is stated as 'Not used'. Recommendations: At the moment, there is no information...

PT-2025-29698 · Apache · Apache Http Server

Name of the Vulnerable Software and Affected Versions: Apache Apache HTTP Server affected versions not specified Description: The reported issue concerns an authentication bypass. The reason for rejection is stated as 'Not used'. Recommendations: At the moment, there is no information about a new...

PT-2025-29702 · Apache · Apache Http Server

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server affected versions not specified Description: The reported issue concerns a cross-site request forgery. The reason for rejection is stated as 'Not used'. Recommendations: At the moment, there is no information about a newer...

PT-2025-30579

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.64 Description A flaw exists in Apache HTTP Server where all "RewriteCond expr ..." tests evaluate as true. Recommendations Upgrade to version 2.4.65...

[SECURITY] Fedora 42 Update: httpd-2.4.64-1.fc42

The Apache HTTP Server is a powerful, efficient, and extensible web server...