5645 matches found
CVE-2025-23048
In some modssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when modssl is configured for multiple virtual hosts, with each restricted to a different set of...
CVE-2024-43394
Server-Side Request Forgery SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via modrewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server...
CVE-2024-43394 Apache HTTP Server: SSRF on Windows due to UNC paths
Server-Side Request Forgery SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via modrewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server...
CVE-2024-43394
Summary of CVE-2024-43394 : A Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows could leak NTLM hashes via unvalidated input passed through mod_rewrite or Apache expressions. Affected versions are 2.4.0 through 2.4.63. The issue stems from how UNC paths may be unwittingly used, ...
CVE-2024-43394
Server-Side Request Forgery SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via modrewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server...
CVE-2024-43394 Apache HTTP Server: SSRF on Windows due to UNC paths
Server-Side Request Forgery SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via modrewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server...
CVE-2024-47252
Insufficient escaping of user-supplied data in modssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%varnamex" or "%varnamec" to log variables...
CVE-2024-47252 Apache HTTP Server: mod_ssl error log variable escaping
Insufficient escaping of user-supplied data in modssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%varnamex" or "%varnamec" to log variables...
CVE-2024-47252 Apache HTTP Server: mod_ssl error log variable escaping
Insufficient escaping of user-supplied data in modssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%varnamex" or "%varnamec" to log variables...
CVE-2024-47252
CVE-2024-47252 concerns the Apache HTTP Server’s mod_ssl: in versions up to 2.4.63, insufficient escaping of user-supplied data can allow an untrusted TLS client to insert escape characters into log files in some configurations (notably when CustomLog uses "%{varname}x" or "%{varname}c" to log mo...
CVE-2024-43204 Apache HTTP Server: SSRF with mod_headers setting Content-Type header
SSRF in Apache HTTP Server with modproxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where modheaders is configured to modify the Content-Type request or response header with a value provided in the HTTP request...
CVE-2024-43204
CVE-2024-43204 affects Apache HTTP Server when mod_proxy is loaded. The vulnerability permits SSRF by sending outbound proxy requests to a URL controlled by the attacker, requiring an unlikely configuration in which mod_headers modifies the Content-Type header with a value provided in the HTTP re...
CVE-2024-43204 Apache HTTP Server: SSRF with mod_headers setting Content-Type header
SSRF in Apache HTTP Server with modproxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where modheaders is configured to modify the Content-Type request or response header with a value provided in the HTTP request...
CVE-2024-43204
SSRF in Apache HTTP Server with modproxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where modheaders is configured to modify the Content-Type request or response header with a value provided in the HTTP request...
CVE-2024-43204
SSRF in Apache HTTP Server with modproxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where modheaders is configured to modify the Content-Type request or response header with a value provided in the HTTP request...
CVE-2024-42516 Apache HTTP Server: HTTP response splitting
HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP...
CVE-2024-42516
HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP...
CVE-2024-42516 Apache HTTP Server: HTTP response splitting
HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP...
CVE-2024-42516
CVE-2024-42516 affects Apache HTTP Server (httpd). The issue is HTTP response splitting caused by faulty input validation in the core, allowing manipulation of Content-Type headers to split responses. Reports indicate the vulnerability was discussed as CVE-2023-38709, with patches through 2.4.59 ...
CVE-2024-42516
HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP...