K41454238: Apache mod_auth_openidc vulnerabilities CVE-2021-32785 CVE-2021-32786 CVE-2021-32792

Security Advisory Description CVE-2021-32785 modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. When modauthopenidc versions prior to 2.4.9 are configur...

K94828628: Apache mod_proxy HTTP/2 vulnerability CVE-2021-33193

Security Advisory Description A crafted method sent through HTTP/2 will bypass validation and be forwarded by modproxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48. CVE-2021-33193 Impact There is no impact; F5 products are not...

K32305110: mod_session vulnerability CVE-2021-26691

Security Advisory Description In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow CVE-2021-26691 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product...

K17313: PHP vulnerability CVE-2014-4721

Security Advisory Description The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHPAUTHPW, PHPAUTHTYPE, PHPAUTHUSER, and PHPSELF variables, which might allow context-dependent attackers to obtain...

K93019301: mod_auth_digest vulnerability CVE-2019-0217

Security Advisory Description In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in modauthdigest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. CVE-2019-0217...

K20622400: Apache HTTP server vulnerability CVE-2021-39275

Security Advisory Description apescapequotes may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. CVE-2021-39275 Impact This...

K58003591: Apache HTTP server vulnerability CVE-2022-28614

Security Advisory Description The aprwrite function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using aprwrite or aprputs, such as with modluas r:puts function. Modules compiled and distributed separately from...

K67090077: Apache HTTP Server vulnerability CVE-2022-22720

Security Advisory Description Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling. CVE-2022-22720 Impact Any authenticated user may exploit this vulnerability and cause a...

K41320158: Apache vulnerability CVE-2021-26690

Security Advisory Description Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by modsession can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service CVE-2021-26690 Impact There is no impact; F5 products are not affected by this...

K32071141: Apache mod_http2 vulnerability CVE-2016-8740

Security Advisory Description The modhttp2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service memory consumption via crafted CONTINUATION...

K23153696: Apache HTTPD vulnerability CVE-2020-1927

Security Advisory Description In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with modrewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. CVE-2020-1927 Impact An attacker can abuse...

K22893952: Apache vulnerability CVE-2019-0190

Security Advisory Description A bug exists in the way modssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause modssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when...

K67175700: Apache vulnerabilities CVE-2020-9490, CVE-2020-11984, CVE-2020-11993

Security Advisory Description CVE-2020-9490 Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via...

K15320: Apache vulnerability CVE-2014-0098

Security Advisory Description The logcookie function in modlogconfig.c in the modlogconfig module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service segmentation fault and daemon crash via a crafted cookie that is not properly handled during truncation...

K13114: Apache Range header vulnerability - CVE-2011-3192

Security Advisory Description The byte-range filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial-of-service memory and CPU consumption using aRange header that expresses multiple overlapping ranges. When this vulnerabili...

K15877: Apache vulnerability CVE-2013-1862

Security Advisory Description modrewrite.c in the modrewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequen...

K17201: Apache HTTP server vulnerability CVE-2008-0455

Security Advisory Description Cross-site scripting XSS vulnerability in the modnegotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitra...

K17202: Apache HTTP server vulnerability CVE-2012-3502

Security Advisory Description The proxy functionality in 1 modproxyajp.c in the modproxyajp module and 2 modproxyhttp.c in the modproxyhttp module in the Apache HTTP Server 2.4.x before 2.4.3 does not properly determine the situations that require closing a back-end connection, which allows remot...

K12636: Slowloris denial-of-service attack vulnerability CVE-2007-6750

Security Advisory Description The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service daemon outage via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the modreqtimeout module in versions before 2.2.15. CVE-2007-6750 Impact The Slowlori...

K53280389: Apache HTTP server vulnerability CVE-2021-44790

Security Advisory Description A carefully crafted request body can cause a buffer overflow in the modlua multipart parser r:parsebody called from Lua scripts. The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache...