Apache Httpd < 2.4.53 : HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling...

Apache Httpd < 2.4.54 : mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded- headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application...

Apache Httpd < 2.4.33 : Weak Digest auth nonce generation in mod_auth_digest

When generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker withou...

Apache Httpd < 2.4.49 : ap_escape_quotes buffer overflow

apescapequotes may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier...

Apache Httpd < 2.4.41 : mod_rewrite potential open redirect

Redirects configured with modrewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL...

Apache Httpd < 2.4.53 : mod_sed: Read/write beyond bounds

Out-of-bounds Write vulnerability in modsed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions...

Apache Httpd < 2.4.52 : Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier

A carefully crafted request body can cause a buffer overflow in the modlua multipart parser r:parsebody called from Lua scripts. The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier...

Apache Httpd < 2.4.44 : mod_proxy_uwsgi buffer overflow

In Apache HTTP Server versions 2.4.32 to 2.4.43, modproxyuwsgi has a information disclosure and possible RCE...

Apache Httpd < 2.4.48 : mod_session response handling heap overflow

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted SessionHeader sent by an origin server could cause a heap overflow...

Apache Httpd < 2.4.49 : mod_proxy SSRF

A crafted request uri-path can cause modproxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier...

Apache Httpd < 2.4.50 : Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...

Apache Httpd < 2.2.34 : mod_mime Buffer Overread

modmime can read one byte past the end of a buffer when sending a malicious Content-Type response header...

Apache Httpd < 2.4.54 : Read beyond bounds in ap_strcmp_match()

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in apstrcmpmatch when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use...

Apache Httpd < 2.4.51 : Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...

Apache Httpd < 2.4.52 : Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier

A crafted URI sent to httpd configured as a forward proxy ProxyRequests on can cause a crash NULL pointer dereference or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint Server Side Request Forgery...

Apache Httpd < 2.4.41 : mod_http2, DoS attack by exhausting h2 workers.

A malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections...

Apache Httpd < 2.4.33 : <FilesMatch> bypass with a trailing newline in the file name

The expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename...

Apache Httpd < 2.4.25 : Apache HTTP Request Parsing Whitespace Defects

Apache HTTP Server, prior to release 2.4.25 and 2.2.32, accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines...

Apache Httpd < 2.4.41 : Limited cross-site scripting in mod_proxy error page

A limited cross-site scripting issue was reported affecting the modproxy error page. An attacker could cause the link on the error page to be malfomed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured ...

Apache Httpd < 2.4.41 : CVE-2019-10097 mod_remoteip: Stack buffer overflow and NULL pointer dereference

When modremoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients...

Apache Httpd < 2.4.54 : mod_proxy_ajp: Possible request smuggling

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in modproxyajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions...

Apache Httpd < 2.4.53 : core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody

If LimitXMLRequestBody is set to allow request bodies larger than 350MB defaults to 1M on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier...

Apache Httpd < 2.4.54 : read beyond bounds in mod_isapi

Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the modisapi module...

Apache Httpd < 2.2.29 : HTTP Trailers processing bypass

HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. This fix adds the "MergeTrailers" directive to restore legacy behavior...

Apache Httpd < 2.2.29 : mod_status buffer overflow

A race condition was found in modstatus. An attacker able to access a public server status page on a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a default or recommended configuration to have a public accessibl...

Apache Httpd < 2.4.38 : mod_session_cookie does not respect expiry time

In Apache HTTP Server 2.4 release 2.4.37 and prior, modsession checks the session expiry time before decoding the session. This causes session expiry time to be ignored for modsessioncookie sessions since the expiry time is loaded when the session is decoded...

Apache Httpd < 2.4.42 : mod_rewrite CWE-601 open redirect

In Apache HTTP Server versions 2.4.0 to 2.4.41 some modrewrite configurations vulnerable to open redirect...

Apache Httpd < 2.4.26 : mod_mime Buffer Overread

modmime can read one byte past the end of a buffer when sending a malicious Content-Type response header...

Apache Httpd < 1.3.35 : Expect header Cross-Site Scripting

A flaw in the handling of invalid Expect headers. If an attacker can influence the Expect header that a victim sends to a target site they could perform a cross-site scripting attack. It is known that some versions of Flash can set an arbitrary Expect header which can trigger this flaw. Not marke...

Apache Httpd < 2.4.44 : Push Diary Crash on Specifically Crafted HTTP/2 Header

In Apache HTTP Server versions 2.4.20 to 2.4.43, when trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of modhttp2 above "info" will mitigate...

Apache Httpd < 2.4.39 : Apache HTTP Server privilege escalation from modules' scripts

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads including scripts executed by an in-process scripting interpreter could execute arbitrary code with the privileges of the parent process usually roo...

Apache Httpd < 2.4.26 : ap_get_basic_auth_pw() Authentication Bypass

Use of the apgetbasicauthpw by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use apgetbasicauthcomponents, available in 2.2.34 and 2.4.26, instead of apgetbasicauthpw. Modules which call the legacy...

Apache Httpd < 2.4.26 : mod_ssl Null Pointer Dereference

modssl may dereference a NULL pointer when third-party modules call aphookprocessconnection during an HTTP request to an HTTPS port...

Apache Httpd < 2.4.54 : read beyond bounds via ap_rwrite()

The aprwrite function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using aprwrite or aprputs, such as with modluas r:puts function. Modules compiled and distributed separately from Apache HTTP Server that use t...

Apache Httpd < 2.4.49 : Request splitting via HTTP/2 method injection and mod_proxy

A crafted method sent through HTTP/2 will bypass validation and be forwarded by modproxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48...

Apache Httpd < 2.4.12 : HTTP Trailers processing bypass

HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. This fix adds the "MergeTrailers" directive to restore legacy behavior...

Apache Httpd < 2.4.39 : Apache httpd URL normalization inconsistincy

When the path component of a request URL contains multiple consecutive slashes '/', directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them...

Apache Httpd < 2.4.54 : Information Disclosure in mod_lua with websockets

Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread that point past the end of the storage allocated for the buffer...

Apache Httpd < 2.4.53 : mod_lua Use of uninitialized value of in r:parsebody

A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier...

Apache Httpd < 2.4.49 : mod_proxy_uwsgi out of bound read

A carefully crafted request uri-path can cause modproxyuwsgi to read above the allocated memory and crash DoS. This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 inclusive...

Apache Httpd < 2.4.42 : mod_proxy_ftp use of uninitialized value

in Apache HTTP Server versions 2.4.0 to 2.4.41, modproxyftp use of uninitialized value with malicious FTP backend...

Apache Httpd < 2.4.48 : mod_auth_digest possible stack overflow by one nul byte

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in modauthdigest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make i...

Apache Httpd < 2.2.27 : mod_dav crash

XML parsing code in moddav incorrectly calculates the end of the string when removing leading spaces and places a NUL character outside the buffer, causing random crashes. This XML parsing code is only used with DAV provider modules that support DeltaV, of which the only publicly released provide...

Apache Httpd < 2.4.2 : insecure LD_LIBRARY_PATH handling

Insecure handling of LDLIBRARYPATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory...

Apache Httpd < 2.4.26 : ap_find_token() Buffer Overread

The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows apfindtoken to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force...

Apache Httpd < 2.2.32 : mod_userdir CRLF injection

Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value...

Apache Httpd < 2.2.25 : mod_dav crash

Sending a MERGE request against a URI handled by moddavsvn with the source href sent as part of the request body as XML pointing to a URI that is not configured for DAV will trigger a segfault...

Apache Httpd < 2.4.54 : Denial of service in mod_lua r:parsebody

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody0 may cause a denial of service due to no default limit on possible input size...

Apache Httpd < 2.4.48 : mod_session NULL pointer dereference

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by modsession can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service...

Apache Httpd < 2.4.25 : HTTP_PROXY environment variable "httpoxy" mitigation

HTTPPROXY is a well-defined environment variable in a CGI process, which collided with a number of libraries which failed to avoid colliding with this CGI namespace. A mitigation is provided for the httpd CGI environment to avoid populating the "HTTPPROXY" variable from a "Proxy:" header, which h...