SUSE CVE-2014-0231

The modcgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service process hang via a request to a CGI script that does not read from its stdin file descriptor...

SUSE CVE-2014-3583

The handleheaders function in modproxyfcgi.c in the modproxyfcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service buffer over-read and daemon crash via long response headers...

SUSE CVE-2015-0228

The luawebsocketread function in luarequest.c in the modlua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service child-process crash by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function...

SUSE CVE-2016-0736

In Apache HTTP Server versions 2.4.0 to 2.4.23, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle...

SUSE CVE-2016-2161

In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to modauthdigest can cause the server to crash, and each instance continues to crash even for subsequently valid requests...

SUSE CVE-2018-17199

In Apache HTTP Server 2.4 release 2.4.37 and prior, modsession checks the session expiry time before decoding the session. This causes session expiry time to be ignored for modsessioncookie sessions since the expiry time is loaded when the session is decoded...

SUSE CVE-2019-0215

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in modssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions...

SUSE CVE-2019-10097

In Apache HTTP Server 2.4.32-2.4.39, when modremoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted pro...

SUSE CVE-2020-11984

Apache HTTP server 2.4.32 to 2.4.44 modproxyuwsgi info disclosure and possible RCE...

SUSE CVE-2020-11993

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of modhttp2 above "info" will mitigate this...

SUSE CVE-2020-13950

Apache HTTP Server versions 2.4.41 to 2.4.46 modproxyhttp can be made to crash NULL pointer dereference with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service...

SUSE CVE-2021-26690

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by modsession can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service...

SUSE CVE-2021-39275

apescapequotes may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier...

SUSE CVE-2021-44224

A crafted URI sent to httpd configured as a forward proxy ProxyRequests on can cause a crash NULL pointer dereference or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint Server Side Request Forgery...

SUSE CVE-2022-22719

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier...

SUSE CVE-2022-28615

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in apstrcmpmatch when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use...

SUSE CVE-2022-37436

Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client...

VulnCheck KEV: CVE-2016-0736

In Apache HTTP Server versions 2.4.0 to 2.4.23, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryption. This made it vulnerable to padding...

Apache HTTP Server SEoL (<= 1.3.x)

According to its version, Apache HTTP Server is less than or equal to 1.3.x. It is, therefore, no longer maintained by its vendor or provider. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it may contain security vulnerabilities...

Apache HTTP Server SEoL (2.1.x <= x <= 2.2.x)

According to its version, Apache HTTP Server is between 2.1.x and 2.2.x. It is, therefore, no longer maintained by its vendor or provider. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it may contain security vulnerabilities...