Apache Httpd < 2.2.34 : Uninitialized memory reflection in mod_auth_digest

The value placeholder in Proxy-Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by modauthdigest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior...

http-vuln-cve2017-8917 NSE Script

An SQL Injection vulnerability affecting Joomla! 3.7.x before 3.7.1 allows for unauthenticated users to execute arbitrary SQL commands. This vulnerability was caused by a new component, comfields, which was introduced in version 3.7. This component is publicly accessible, which means this can be...

Debian DSA-3896-1 : apache2 - security update

Several vulnerabilities have been found in the Apache HTTPD server. - CVE-2017-3167 Emmanuel Dreyfus reported that the use of apgetbasicauthpw by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. - CVE-2017-3169 Vasileios Panopoulos of...

Amazon Linux AMI : httpd (ALAS-2017-851)

Apache HTTP Request Parsing Whitespace Defects It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that...

[SECURITY] [DSA 3896-1] apache2 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-3896-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 22, 2017 https://www.debian.org/security/faq -...

Medium: httpd

Issue Overview: Apache HTTP Request Parsing Whitespace Defects It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or...

Debian Security Advisory DSA 3896-1 (apache2 - security update)

Several vulnerabilities have been found in the Apache HTTPD server. CVE-2017-3167 Emmanuel Dreyfus reported that the use of apgetbasicauthpw by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. CVE-2017-3169 Vasileios Panopoulos of...

Apache HTTP Server Denial of Service Vulnerability (CNVD-2017-11802)

Apache httpd is the U.S. Apache Apache Software Foundation, an open source HTTP server developed and maintained specifically for modern operating systems. A security vulnerability exists in Apache httpd version 2.2.x prior to 2.2.33 and version 2.4.x prior to 2.4.26. An attacker can exploit this...

Debian: Security Advisory (DSA-3896-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Internet Bug Bounty: ap_find_token() Buffer Overread

Versions Affected: httpd 2.2.32 httpd 2.4.24 unreleased httpd 2.4.25 Description: The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows apfindtoken to search past the end of its input string. By maliciously crafting a sequence of request...

Default credentials

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, modmime can read one byte past the end of a buffer when sending a malicious Content-Type response header...

DEBIAN-CVE-2017-3169

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, modssl may dereference a NULL pointer when third-party modules call aphookprocessconnection during an HTTP request to an HTTPS port...

DEBIAN-CVE-2017-3167

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the apgetbasicauthpw by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed...

Authentication flaw

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the apgetbasicauthpw by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed...

Null pointer dereference

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, modssl may dereference a NULL pointer when third-party modules call aphookprocessconnection during an HTTP request to an HTTPS port...

Input validation

The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows apfindtoken to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to...

CVE-2017-3167

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the apgetbasicauthpw by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed...

CVE-2017-3169

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, modssl may dereference a NULL pointer when third-party modules call aphookprocessconnection during an HTTP request to an HTTPS port...

CVE-2017-7679

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, modmime can read one byte past the end of a buffer when sending a malicious Content-Type response header...

ALPINE-CVE-2017-7679

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, modmime can read one byte past the end of a buffer when sending a malicious Content-Type response header...