271 matches found
Apache Httpd < 2.4.25 : HTTP_PROXY environment variable "httpoxy" mitigation
HTTPPROXY is a well-defined environment variable in a CGI process, which collided with a number of libraries which failed to avoid colliding with this CGI namespace. A mitigation is provided for the httpd CGI environment to avoid populating the "HTTPPROXY" variable from a "Proxy:" header, which h...
Apache Httpd < 1.3.35 : Expect header Cross-Site Scripting
A flaw in the handling of invalid Expect headers. If an attacker can influence the Expect header that a victim sends to a target site they could perform a cross-site scripting attack. It is known that some versions of Flash can set an arbitrary Expect header which can trigger this flaw. Not marke...
Apache Httpd < 2.4.33 : Out of bound write in mod_authnz_ldap when using too small Accept-Language values
modauthnzldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two...
Apache Httpd < 2.4.38 : DoS for HTTP/2 connections via slow request bodies
By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol...
Apache Httpd < 2.4.33 : Possible out of bound read in mod_cache_socache
A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.33 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of modcachesocache...
Apache Httpd < 2.4.26 : ap_find_token() Buffer Overread
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows apfindtoken to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force...
Apache Httpd < 2.2.32 : Apache HTTP Request Parsing Whitespace Defects
Apache HTTP Server, prior to release 2.4.25 and 2.2.32, accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines...
Apache Httpd < 2.2.32 : mod_userdir CRLF injection
Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value...
Apache Httpd < 2.2.27 : mod_dav crash
XML parsing code in moddav incorrectly calculates the end of the string when removing leading spaces and places a NUL character outside the buffer, causing random crashes. This XML parsing code is only used with DAV provider modules that support DeltaV, of which the only publicly released provide...
Apache Httpd < 2.2.34 : mod_ssl Null Pointer Dereference
modssl may dereference a NULL pointer when third-party modules call aphookprocessconnection during an HTTP request to an HTTPS port...
Apache Httpd < 2.4.44 : Push Diary Crash on Specifically Crafted HTTP/2 Header
In Apache HTTP Server versions 2.4.20 to 2.4.43, a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerabilit...
Apache Httpd < 2.2.25 : mod_dav crash
Sending a MERGE request against a URI handled by moddavsvn with the source href sent as part of the request body as XML pointing to a URI that is not configured for DAV will trigger a segfault...
Apache Httpd < 2.4.33 : Possible out of bound access after failure in reading the HTTP request
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.33, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode both log and build level...
Apache Httpd < 2.4.33 : Tampering of mod_session data for CGI applications
When modsession is configured to forward its session data to CGI applications SessionEnv on, not the default, a remote user may influence their content by using a "Session" header. This comes from the "HTTPSESSION" variable name used by modsession to forward its data to CGIs, since the prefix...
Apache Httpd < 2.4.41 : mod_http2, read-after-free in h2 connection shutdown
Using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown...
Apache Httpd < 2.4.41 : mod_http2, memory corruption on early pushes
HTTP/2 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client...
Apache Httpd < 2.4.48 : mod_proxy_http NULL pointer dereference
Apache HTTP Server versions 2.4.41 to 2.4.46 modproxyhttp can be made to crash NULL pointer dereference with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service...
Apache Httpd < 2.4.25 : mod_userdir CRLF injection
Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value...
Apache Httpd < 2.4.9 : mod_log_config crash
A flaw was found in modlogconfig. A remote attacker could send a specific truncated cookie causing a crash. This crash would only be a denial of service if using a threaded MPM...
Apache Httpd < 2.2.34 : ap_get_basic_auth_pw() Authentication Bypass
Use of the apgetbasicauthpw by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use apgetbasicauthcomponents, available in 2.2.34 and 2.4.26, instead of apgetbasicauthpw. Modules which call the legacy...
Apache Httpd < 2.4.2 : insecure LD_LIBRARY_PATH handling
Insecure handling of LDLIBRARYPATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory...
Apache Httpd < 2.2.15 : mod_isapi module unload flaw
A flaw was found with within modisapi which would attempt to unload the ISAPI dll when it encountered various error states. This could leave the callbacks in an undefined state and result in a segfault. On Windows platforms using modisapi, a remote attacker could send a malicious request to trigg...
Apache Httpd < 2.4.16 : HTTP request smuggling attack against chunked request parser
An HTTP request smuggling attack was possible due to a bug in parsing of chunked requests. A malicious client could force the server to misinterpret the request length, allowing cache poisoning or credential hijacking if an intermediary proxy is in use...
Apache Httpd < 2.4.38 : mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
A bug exists in the way modssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause modssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or...
Apache Httpd < 2.2.32 : HTTP_PROXY environment variable "httpoxy" mitigation
HTTPPROXY is a well-defined environment variable in a CGI process, which collided with a number of libraries which failed to avoid colliding with this CGI namespace. A mitigation is provided for the httpd CGI environment to avoid populating the "HTTPPROXY" variable from a "Proxy:" header, which h...
Apache Httpd < 2.4.10 : mod_deflate denial of service
A resource consumption flaw was found in moddeflate. If request body decompression was configured using the "DEFLATE" input filter, a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration...
Apache Httpd < 1.3.22 : Multiviews can cause a directory listing to be displayed
A vulnerability was found when Multiviews are used to negotiate the directory index. In some configurations, requesting a URI with a QUERYSTRING of M=D could return a directory listing rather than the expected index page...
Apache Httpd < 2.4.25 : DoS vulnerability in mod_auth_digest
Malicious input to modauthdigest will cause the server to crash, and each instance continues to crash even for subsequently valid requests...
Apache Httpd < 2.4.12 : mod_lua multiple "Require" directive handling is broken
Fix handling of the Require line in modlua when a LuaAuthzProvider is used in multiple Require directives with different arguments. This could lead to different authentication rules than expected...
Apache Httpd < 2.4.39 : mod_http2, read-after-free on a string compare
Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly...
Apache Httpd < 2.4.10 : mod_status buffer overflow
A race condition was found in modstatus. An attacker able to access a public server status page on a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a default or recommended configuration to have a public accessibl...
Apache Httpd < 2.4.9 : mod_dav crash
XML parsing code in moddav incorrectly calculates the end of the string when removing leading spaces and places a NUL character outside the buffer, causing random crashes. This XML parsing code is only used with DAV provider modules that support DeltaV, of which the only publicly released provide...
Apache Httpd < 2.4.7 : mod_cache crash
A NULL pointer dereference was found in modcache. A malicious HTTP server could cause a crash in a caching forward proxy configuration. Note that this vulnerability was fixed in the 2.4.7 release, but the security impact was not disclosed at the time of the release...
Apache Httpd < 2.4.39 : mod_ssl access control bypass
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in modssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions...
Apache Httpd < 2.4.34 : DoS for HTTP/2 connections by crafted requests
By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. This issue only affects servers that have configured and enabled HTTP/2 support, which is not the default...
Apache Httpd < 2.4.48 : NULL pointer dereference on specially crafted HTTP/2 request
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating...
Apache Httpd < 2.2.34 : Uninitialized memory reflection in mod_auth_digest
The value placeholder in Proxy-Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by modauthdigest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior...
Apache Httpd < 2.4.25 : IP address spoofing when proxying using mod_remoteip and mod_rewrite
For configurations using proxying with modremoteip and certain modrewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020...
Apache Httpd < 2.2.35-never : Use-after-free when using <Limit > with an unrecognized method in .htaccess ("OptionsBleed")
When an unrecognized HTTP Method is given in an directive in an .htaccess file, and that .htaccess file is processed by the corresponding request, the global methods table is corrupted in the current worker process, resulting in erratic behaviour. This behavior may be avoided by listing all unusu...
Apache Httpd < 2.4.50 : null pointer dereference in h2 fuzzing
While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project...
Apache Httpd < 2.4.48 : Unexpected URL matching with 'MergeSlashes OFF'
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'...
Apache Httpd < 2.2.8 : mod_proxy_balancer DoS
A flaw was found in the modproxybalancer module. On sites where modproxybalancer is enabled, an authorized user could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded...
Apache Httpd < 2.4.10 : mod_cgid denial of service
A flaw was found in modcgid. If a server using modcgid hosted CGI scripts which did not consume standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service...
Apache Httpd < 2.4.12 : mod_cache crash with empty Content-Type header
A NULL pointer deference was found in modcache. A malicious HTTP server could cause a crash in a caching forward proxy configuration. This crash would only be a denial of service if using a threaded MPM...
Apache Httpd < 2.4.33 : Possible write of after free on HTTP/2 stream shutdown
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.33 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerabilty hard to trigger in usual configurations, the reporter...
Apache Httpd < 2.0.65 : mod_setenvif .htaccess privilege escalation
An integer overflow flaw was found which, when the modsetenvif module is enabled, could allow local users to gain privileges via a .htaccess file...
Apache Httpd < 2.2.24 : XSS due to unescaped hostnames
Various XSS flaws due to unescaped hostnames and URIs HTML output in modinfo, modstatus, modimagemap, modldap, and modproxyftp...
Apache Httpd < 2.4.10 : mod_proxy denial of service
A flaw was found in modproxy in httpd versions 2.4.6 to 2.4.9. A remote attacker could send a carefully crafted request to a server configured as a reverse proxy, and cause the child process to crash. This could lead to a denial of service against a threaded MPM...
Apache Httpd < 2.2.27 : mod_log_config crash
A flaw was found in modlogconfig. A remote attacker could send a specific truncated cookie causing a crash. This crash would only be a denial of service if using a threaded MPM...
Apache Httpd < 2.0.59 : mod_rewrite off-by-one error
An off-by-one flaw exists in the Rewrite module, modrewrite. Depending on the manner in which Apache httpd was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely...