5774 matches found
CVE-2025-49812
CVE-2025-49812 affects Apache HTTP Server (httpd) via mod_ssl in some mod_ssl configurations up to version 2.4.63. An HTTP desynchronisation attack lets a MITM hijack a session during TLS upgrade when SSLEngine optional is used. Upgrading to httpd 2.4.64 (which removes TLS upgrade support) is the...
CVE-2025-49630 Apache HTTP Server: mod_proxy_http2 denial of service
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in modproxyhttp2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with...
CVE-2025-49630 Apache HTTP Server: mod_proxy_http2 denial of service
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in modproxyhttp2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with...
CVE-2025-49630
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in modproxyhttp2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with...
CVE-2025-49630
CVE-2025-49630 affects the Apache HTTP Server (httpd) mod_proxy_http2. In certain reverse-proxy configurations (HTTP/2 backend and ProxyPreserveHost set to “on”), untrusted clients can trigger an assertion in mod_proxy_http2, causing a denial-of-service on affected 2.4.26–2.4.63 servers. Connecte...
CVE-2025-23048 Apache HTTP Server: mod_ssl access control bypass with session resumption
In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when modssl is configured for multiple virtual hosts, with each restricted to a different set of...
CVE-2025-23048
Affected software: Apache HTTP Server (httpd). CVE-2025-23048 describes an access-control bypass in mod_ssl when TLS 1.3 session resumption is used in configurations with multiple virtual hosts, each with different trusted client certificates; a client trusted for one vhost could access another i...
CVE-2025-23048 Apache HTTP Server: mod_ssl access control bypass with session resumption
In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when modssl is configured for multiple virtual hosts, with each restricted to a different set of...
CVE-2025-23048
In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when modssl is configured for multiple virtual hosts, with each restricted to a different set of...
CVE-2025-23048
In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when modssl is configured for multiple virtual hosts, with each restricted to a different set of...
CVE-2024-43394
Server-Side Request Forgery SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via modrewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server...
CVE-2024-43394 Apache HTTP Server: SSRF on Windows due to UNC paths
Server-Side Request Forgery SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via modrewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server...
CVE-2024-43394
Summary of CVE-2024-43394 : A Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows could leak NTLM hashes via unvalidated input passed through mod_rewrite or Apache expressions. Affected versions are 2.4.0 through 2.4.63. The issue stems from how UNC paths may be unwittingly used, ...
CVE-2024-43394
Server-Side Request Forgery SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via modrewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server...
CVE-2024-43394 Apache HTTP Server: SSRF on Windows due to UNC paths
Server-Side Request Forgery SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via modrewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server...
CVE-2024-47252
Insufficient escaping of user-supplied data in modssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%varnamex" or "%varnamec" to log variables...
CVE-2024-47252
Insufficient escaping of user-supplied data in modssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%varnamex" or "%varnamec" to log variables...
CVE-2024-47252 Apache HTTP Server: mod_ssl error log variable escaping
Insufficient escaping of user-supplied data in modssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%varnamex" or "%varnamec" to log variables...
CVE-2024-47252 Apache HTTP Server: mod_ssl error log variable escaping
Insufficient escaping of user-supplied data in modssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%varnamex" or "%varnamec" to log variables...
CVE-2024-47252
CVE-2024-47252 concerns the Apache HTTP Server’s mod_ssl: in versions up to 2.4.63, insufficient escaping of user-supplied data can allow an untrusted TLS client to insert escape characters into log files in some configurations (notably when CustomLog uses "%{varname}x" or "%{varname}c" to log mo...