SUSE CVE-2010-2791

modproxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in...

SUSE CVE-2011-3348

The modproxyajp module in the Apache HTTP Server before 2.2.21, when used with modproxybalancer in certain configurations, allows remote attackers to cause a denial of service temporary "error state" in the backend server via a malformed HTTP request...

SUSE CVE-2014-0117

The modproxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service child-process crash via a crafted HTTP Connection header...

SUSE CVE-2014-3583

The handleheaders function in modproxyfcgi.c in the modproxyfcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service buffer over-read and daemon crash via long response headers...

SUSE CVE-2019-10092

In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the modproxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with...

SUSE CVE-2020-11984

Apache HTTP server 2.4.32 to 2.4.44 modproxyuwsgi info disclosure and possible RCE...

SUSE CVE-2021-33193

A crafted method sent through HTTP/2 will bypass validation and be forwarded by modproxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48...

SUSE CVE-2021-40438

A crafted request uri-path can cause modproxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier...

CLSA-2023-1675985294 Fix CVE(s): CVE-2022-37436

SECURITY UPDATE: modproxy may trigger HTTP response splitting - debian/patches/CVE-2022-37436.patch: fail on bad header - CVE-2022-37436...

USN-5839-2 apache2 vulnerability

USN-5839-1 fixed a vulnerability in Apache. This update provides the corresponding update for Ubuntu 16.04 ESM. Original advisory details: Dimas Fariski Setyawan Putra discovered that the Apache HTTP Server modproxy module incorrectly truncated certain response headers. This may result in later...

The vulnerability of the mod_proxy_ajp module in the Apache HTTP Server allows a hacker to send hidden HTTP requests (HTTP Request Smuggling attack).

The vulnerability of the modproxyajp module in the Apache HTTP Server is related to deficiencies in header processing for Transfer-Encoding. Exploiting this vulnerability allows a malicious actor to send hidden HTTP requests HTTP Request Smuggling attacks...

CLSA-2023-1675111279 Fix CVE(s): CVE-2022-36760

SECURITY UPDATE: possible HTTP request smuggling in the modproxyajp - debian/patches/CVE-2022-36760.patch: ensure connection closure for an invalid Transfer-Encoding header, to prevent HTTP request smuggling attack with an AJP proxy - CVE-2022-36760...

AZL-13027 CVE-2022-36760 affecting package httpd for versions less than 2.4.55-1

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in modproxyajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions...

ALPINE-CVE-2022-36760

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in modproxyajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions...

Apache HTTP Server 环境问题漏洞

Apache HTTP Server is the United States Apache Apache Foundation of an open source web server . The server is fast, reliable and can be expanded through a simple API. An Http request smuggling vulnerability exists in Apache HTTP Server versions 2.4.0 through 2.4.55 and earlier, which stems from a...

httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism

A flaw was found in the modproxy module of httpd. The server may remove the X-Forwarded- headers from a request based on the client-side Connection header hop-by-hop mechanism...

httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism

A flaw was found in the modproxy module of httpd. The server may remove the X-Forwarded- headers from a request based on the client-side Connection header hop-by-hop mechanism...

PT-2023-2026

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.0 through 2.4.55 Description The issue is related to HTTP Request Smuggling attacks, which can occur when mod proxy is enabled along with certain RewriteRule or ProxyPassMatch configurations. These configuration...

httpd: possible NULL dereference or SSRF in forward proxy configurations

There's a null pointer dereference and server-side request forgery flaw in httpd's modproxy module, when it is configured to be used as a forward proxy. A crafted packet could be sent on the adjacent network to the forward proxy that could cause a crash, or potentially SSRF via misdirected Unix...

httpd: Request splitting via HTTP/2 method injection and mod_proxy

A NULL pointer dereference was found in Apache httpd modh2. The highest threat from this flaw is to system integrity...