K17296065: Apache mod_userdir vulnerability CVE-2016-4975

Security Advisory Description Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache...

K28508558: Apache mod_cache vulnerability CVE-2013-4352

Security Advisory Description The cacheinvalidate function in modules/cache/cachestorage.c in the modcache module in the Apache HTTP Server 2.4.6, when a caching forward proxy is enabled, allows remote HTTP servers to cause a denial of service NULL pointer dereference and daemon crash via vectors...

K13815051: Apache vulnerability CVE-2021-30641

Security Advisory Description Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF' CVE-2021-30641 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently...

K53437580: Apache vulnerabilities CVE-2016-0736 and CVE-2016-2161

Security Advisory Description CVE-2016-0736 In Apache HTTP Server versions 2.4.0 to 2.4.23, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryptio...

K56331254: Apache HTTP server vulnerability CVE-2021-41524

Security Advisory Description While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No...

K27129140: mod_auth_digest vulnerability CVE-2020-35452

Security Advisory Description Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in modauthdigest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or...

K41454238: Apache mod_auth_openidc vulnerabilities CVE-2021-32785 CVE-2021-32786 CVE-2021-32792

Security Advisory Description CVE-2021-32785 modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. When modauthopenidc versions prior to 2.4.9 are configur...

K82200103: Apache mod_http2 vulnerability CVE-2019-10082

Security Advisory Description In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. CVE-2019-10082 Impact There is no impact; F5 products are not affected by this vulnerability...

K94828628: Apache mod_proxy HTTP/2 vulnerability CVE-2021-33193

Security Advisory Description A crafted method sent through HTTP/2 will bypass validation and be forwarded by modproxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48. CVE-2021-33193 Impact There is no impact; F5 products are not...

K32305110: mod_session vulnerability CVE-2021-26691

Security Advisory Description In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow CVE-2021-26691 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product...

K28902827: Apache mod_http2 vulnerability CVE-2018-11763

Security Advisory Description In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not...

K17313: PHP vulnerability CVE-2014-4721

Security Advisory Description The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHPAUTHPW, PHPAUTHTYPE, PHPAUTHUSER, and PHPSELF variables, which might allow context-dependent attackers to obtain...

K93019301: mod_auth_digest vulnerability CVE-2019-0217

Security Advisory Description In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in modauthdigest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. CVE-2019-0217...

K20622400: Apache HTTP server vulnerability CVE-2021-39275

Security Advisory Description apescapequotes may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. CVE-2021-39275 Impact This...

K58003591: Apache HTTP server vulnerability CVE-2022-28614

Security Advisory Description The aprwrite function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using aprwrite or aprputs, such as with modluas r:puts function. Modules compiled and distributed separately from...

K87323016: Apache mod_proxy vulnerability CVE-2020-13950

Security Advisory Description Apache HTTP Server versions 2.4.41 to 2.4.46 modproxyhttp can be made to crash NULL pointer dereference with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service CVE-2020-13950 Impact There is no impact; F...

K67090077: Apache HTTP Server vulnerability CVE-2022-22720

Security Advisory Description Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling. CVE-2022-22720 Impact Any authenticated user may exploit this vulnerability and cause a...

K41320158: Apache vulnerability CVE-2021-26690

Security Advisory Description Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by modsession can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service CVE-2021-26690 Impact There is no impact; F5 products are not affected by this...

K32071141: Apache mod_http2 vulnerability CVE-2016-8740

Security Advisory Description The modhttp2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service memory consumption via crafted CONTINUATION...

K44834280: Multiple Treck vulnerabilities CVE-2020-25066, CVE-2020-27336, CVE-2020-27337, and CVE-2020-27338

Security Advisory Description CVE-2020-25066 A heap-based buffer overflow in the Treck HTTP Server component before 6.0.1.68 allows remote attackers to cause a denial of service crash/reset or to possibly execute arbitrary code. CVE-2020-27336 An issue was discovered in Treck IPv6 before 6.0.1.68...