Apache HTTP Server Authentication Bypass Vulnerability

Apache HTTP Server is the United States Apache Apache Software Foundation of an open source web server . An authentication bypass vulnerability exists in Apache HTTP Server. An attacker can exploit the vulnerability to bypass the authentication mechanism and perform unauthorized operations...

UBUNTU-CVE-2019-0217

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in modauthdigest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions...

DEBIAN-CVE-2019-3878

A vulnerability was found in modauthmellon before v0.14.2. If Apache is configured as a reverse proxy and modauthmellon is configured to only let through authenticated users with the require valid-user directive, adding special HTTP headers that are normally used to start the special SAML ECP...

PT-2019-3015

Name of the Vulnerable Software and Affected Versions HTTP/2 implementations affected versions not specified nginx affected versions not specified Node.js affected versions not specified Apache HTTP Server affected versions not specified Windows affected versions not specified Description The iss...

httpd: Weak Digest auth nonce generation in mod_auth_digest

In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed...

httpd: mod_http2: Too much time allocated to workers, possibly leading to DoS

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 Affected 2.4.18-2.4.30,2.4.33...

httpd: Out of bounds access after failure in reading the HTTP request

A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode both log and build level...

httpd: DoS for HTTP/2 connections by continuous SETTINGS frames

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol...

httpd: mod_http2: Too much time allocated to workers, possibly leading to DoS

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 Affected 2.4.18-2.4.30,2.4.33...

httpd: DoS for HTTP/2 connections by continuous SETTINGS frames

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol...

httpd: Weak Digest auth nonce generation in mod_auth_digest

In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed...

BSA-2019-755

Security Advisory ID : BSA-2019-755 Component : Apache Revision : 1.0: Final Apache 2.4 vulnerabilities in Brocade Fibre Channel Products from Broadcom Multiple Brocade Fibre Channel technology products from Broadcom incorporate Apache httpd 2.4 librairies. Apache released in January 2019, a list...

ALPINE-CVE-2018-11803

Subversion's moddavsvn Apache HTTPD module versions 1.11.0 and 1.10.0 to 1.10.3 will crash after dereferencing an uninitialized pointer if the client omits the root path in a recursive directory listing operation...

ALPINE-CVE-2018-17199

In Apache HTTP Server 2.4 release 2.4.37 and prior, modsession checks the session expiry time before decoding the session. This causes session expiry time to be ignored for modsessioncookie sessions since the expiry time is loaded when the session is decoded...

DEBIAN-CVE-2018-17189

In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 modhttp2 connections...

PT-2019-3932 · Apache +7 · Apache Http Server +7

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server versions 2.4.34 through 2.4.38 Description: A vulnerability was found in the implementation of the HTTP/2 protocol in the Apache HTTP Server. The issue is related to the handling of HTTP requests. When HTTP/2 was enabled fo...

Apache HTTP Server Denial of Service Vulnerability

Apache HTTP Server is the United States Apache Apache Software Foundation, an open source web server. The server is fast, reliable and can be expanded through a simple API. A security vulnerability exists in the HTTP/2 modhttp2 connection for httpd in Apache HTTP Server versions 2.4.17 through...

The vulnerability of the Apache HTTP server relates to the use of memory after it is freed. This allows an attacker to access parts of the server’s memory, cause failures in the child process of httpd, or gain access to closed HTTP resources.

The vulnerability of the Apache HTTP server is related to the use of memory after it is freed during the processing of comments in the Allow and Deny directives of the .htaccess configuration file. Exploiting this vulnerability allows a remote attacker to cause a child process of the httpd to cra...

Roxy Fileman 1.4.5 Arbitrary File Download

Exploit Title: Roxy Fileman 1.4.5 - Arbitrary File Download Dork: N/A Date: 2019-01-16 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.roxyfileman.com/ Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-php Version: 1.4.5 Category: Webapps Tested on: WiN7x64/KaLiLinuXx64 CVE:...

Bigcart - Ecommerce Multivendor System 1.0 - SQL Injection

Bigcart - Ecommerce Multivendor System 1.0 - SQL Injection Exploit Title: Bigcart - Ecommerce Multivendor System 1.0 - SQL Injection Dork: N/A Date: 2019-01-14 Exploit Author: Ihsan Sencan Vendor Homepage: http://ocsolutions.co.in/ Software Link:...