DEBIAN-CVE-2016-8740

The modhttp2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service memory consumption via crafted CONTINUATION frames in an HTTP/2 request...

CVE-2016-8740

CVE-2016-8740 affects Apache HTTP Server mod_http2 when Protocols includes h2/h2c. A memory-exhaustion DoS arises from improper restriction of request-header length in crafted CONTINUATION frames in versions 2.4.17–2.4.23. Connected sources confirm the root cause is header-length handling without...

CVE-2016-8740

The modhttp2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service memory consumption via crafted CONTINUATION frames in an HTTP/2 request...

CVE-2016-8740

The modhttp2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service memory consumption via crafted CONTINUATION frames in an HTTP/2 request...

KLA10907 Denial of service vulnerability in Apache HTTP Server

An unspecified vulnerability was found in Apache HTTP Server 2.4.17 through 2.4.23. By exploiting this vulnerability malicious users can cause denial of service. This vulnerability can be exploited remotely via crafted continuation frames in a HTTP/2 request. Technical details Vulnerability occur...

Apache Httpd < 2.4.26 : mod_http2 Null Pointer Dereference

A maliciously constructed HTTP/2 request could cause modhttp2 to dereference a NULL pointer and crash the server process...

Apache HTTP Server Security Bypass Vulnerability (Jul 2016)

Apache HTTP Server is prone to a security bypass vulnerability. SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:httpserver...

CVE-2016-4979

The Apache HTTP Server 2.4.18 through 2.4.20, when modhttp2 and modssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple...

DEBIAN-CVE-2016-1546

The Apache HTTP Server 2.4.17 and 2.4.18, when modhttp2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service stream-processing outage via modified flow-control windows...

Authorization

The Apache HTTP Server 2.4.18 through 2.4.20, when modhttp2 and modssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple...

CVE-2016-4979

The Apache HTTP Server 2.4.18 through 2.4.20, when modhttp2 and modssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple...

Buffer overflow

The Apache HTTP Server 2.4.17 and 2.4.18, when modhttp2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service stream-processing outage via modified flow-control windows...

CVE-2016-4979

The Apache HTTP Server 2.4.18 through 2.4.20, when modhttp2 and modssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple...

CVE-2016-1546

CVE-2016-1546 affects Apache HTTP Server 2.4.17/2.4.18 with mod_http2 enabled, where there is no limit on the number of simultaneous stream workers for a single HTTP/2 connection. This can allow remote attackers to cause a denial of service (stream-processing outage) via modified flow-control win...

CVE-2016-4979

CVE-2016-4979 affects Apache HTTP Server 2.4.18–2.4.20 when mod_http2 and mod_ssl are enabled; it fails to recognize the SSLVerifyClient require directive for HTTP/2 request authorization, enabling bypass of access restrictions by abusing multiple requests on a single connection and renegotiation...

EUVD-2016-5947

The Apache HTTP Server 2.4.18 through 2.4.20, when modhttp2 and modssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple...

Apache Httpd < 2.4.20 : mod_http2: denial of service by thread starvation

By manipulating the flow control windows on streams, a client was able to block server threads for long times, causing starvation of worker threads. Connections could still be opened, but no streams where processed for these. This issue affected HTTP/2 support in 2.4.17 and 2.4.18...