5645 matches found
CVE-2024-43204
SSRF in Apache HTTP Server with modproxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where modheaders is configured to modify the Content-Type request or response header with a value provided in the HTTP request...
ALPINE-CVE-2024-42516
HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP...
UBUNTU-CVE-2025-53020
Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue...
CVE-2025-53020
Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue...
CVE-2025-53020 Apache HTTP Server: HTTP/2 DoS by Memory Increase
Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue...
CVE-2025-53020
CVE-2025-53020 affects Apache HTTP Server versions 2.4.17 through 2.4.63. The issue is described as a Late Release of Memory after Effective Lifetime vulnerability. The recommended remediation is to upgrade to version 2.4.64, which fixes the issue. Public references from Debian, Amazon Linux advi...
CVE-2025-53020 Apache HTTP Server: HTTP/2 DoS by Memory Increase
Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue...
CVE-2025-49812
In some modssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommend...
CVE-2025-49812 Apache HTTP Server: mod_ssl TLS upgrade attack
In some modssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommend...
CVE-2025-49812
In some modssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommend...
CVE-2025-49812
CVE-2025-49812 affects Apache HTTP Server (httpd) via mod_ssl in some mod_ssl configurations up to version 2.4.63. An HTTP desynchronisation attack lets a MITM hijack a session during TLS upgrade when SSLEngine optional is used. Upgrading to httpd 2.4.64 (which removes TLS upgrade support) is the...
CVE-2025-49812 Apache HTTP Server: mod_ssl TLS upgrade attack
In some modssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommend...
CVE-2025-49630 Apache HTTP Server: mod_proxy_http2 denial of service
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in modproxyhttp2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with...
CVE-2025-49630 Apache HTTP Server: mod_proxy_http2 denial of service
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in modproxyhttp2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with...
CVE-2025-49630
In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in modproxyhttp2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with...
CVE-2025-49630
CVE-2025-49630 affects the Apache HTTP Server (httpd) mod_proxy_http2. In certain reverse-proxy configurations (HTTP/2 backend and ProxyPreserveHost set to “on”), untrusted clients can trigger an assertion in mod_proxy_http2, causing a denial-of-service on affected 2.4.26–2.4.63 servers. Connecte...
CVE-2025-23048 Apache HTTP Server: mod_ssl access control bypass with session resumption
In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when modssl is configured for multiple virtual hosts, with each restricted to a different set of...
CVE-2025-23048 Apache HTTP Server: mod_ssl access control bypass with session resumption
In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when modssl is configured for multiple virtual hosts, with each restricted to a different set of...
CVE-2025-23048
Affected software: Apache HTTP Server (httpd). CVE-2025-23048 describes an access-control bypass in mod_ssl when TLS 1.3 session resumption is used in configurations with multiple virtual hosts, each with different trusted client certificates; a client trusted for one vhost could access another i...
CVE-2025-23048
In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when modssl is configured for multiple virtual hosts, with each restricted to a different set of...