271 matches found
Apache Httpd < 2.4.53 : HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling...
Apache Httpd < 2.4.54 : mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism
Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded- headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application...
Apache Httpd < 2.4.33 : Weak Digest auth nonce generation in mod_auth_digest
When generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker withou...
Apache Httpd < 2.4.49 : ap_escape_quotes buffer overflow
apescapequotes may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier...
Apache Httpd < 2.4.41 : mod_rewrite potential open redirect
Redirects configured with modrewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL...
Apache Httpd < 2.4.53 : mod_sed: Read/write beyond bounds
Out-of-bounds Write vulnerability in modsed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions...
Apache Httpd < 2.4.52 : Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier
A carefully crafted request body can cause a buffer overflow in the modlua multipart parser r:parsebody called from Lua scripts. The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier...
Apache Httpd < 2.4.48 : mod_session response handling heap overflow
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted SessionHeader sent by an origin server could cause a heap overflow...
Apache Httpd < 2.4.44 : mod_proxy_uwsgi buffer overflow
In Apache HTTP Server versions 2.4.32 to 2.4.43, modproxyuwsgi has a information disclosure and possible RCE...
Apache Httpd < 2.4.49 : mod_proxy SSRF
A crafted request uri-path can cause modproxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier...
Apache Httpd < 2.4.54 : Read beyond bounds in ap_strcmp_match()
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in apstrcmpmatch when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use...
Apache Httpd < 2.4.50 : Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...
Apache Httpd < 2.4.52 : Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier
A crafted URI sent to httpd configured as a forward proxy ProxyRequests on can cause a crash NULL pointer dereference or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint Server Side Request Forgery...
Apache Httpd < 2.2.34 : mod_mime Buffer Overread
modmime can read one byte past the end of a buffer when sending a malicious Content-Type response header...
Apache Httpd < 2.4.41 : Limited cross-site scripting in mod_proxy error page
A limited cross-site scripting issue was reported affecting the modproxy error page. An attacker could cause the link on the error page to be malfomed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured ...
Apache Httpd < 2.4.33 : <FilesMatch> bypass with a trailing newline in the file name
The expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename...
Apache Httpd < 2.4.41 : mod_http2, DoS attack by exhausting h2 workers.
A malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections...
Apache Httpd < 2.4.25 : Apache HTTP Request Parsing Whitespace Defects
Apache HTTP Server, prior to release 2.4.25 and 2.2.32, accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines...
Apache Httpd < 2.4.53 : core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
If LimitXMLRequestBody is set to allow request bodies larger than 350MB defaults to 1M on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier...
Apache Httpd < 2.4.54 : mod_proxy_ajp: Possible request smuggling
Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in modproxyajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions...
Apache Httpd < 2.4.54 : read beyond bounds in mod_isapi
Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the modisapi module...
Apache Httpd < 2.4.51 : Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...
Apache Httpd < 2.4.41 : CVE-2019-10097 mod_remoteip: Stack buffer overflow and NULL pointer dereference
When modremoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients...
Apache Httpd < 2.4.38 : mod_session_cookie does not respect expiry time
In Apache HTTP Server 2.4 release 2.4.37 and prior, modsession checks the session expiry time before decoding the session. This causes session expiry time to be ignored for modsessioncookie sessions since the expiry time is loaded when the session is decoded...
Apache Httpd < 2.4.42 : mod_rewrite CWE-601 open redirect
In Apache HTTP Server versions 2.4.0 to 2.4.41 some modrewrite configurations vulnerable to open redirect...
Apache Httpd < 2.2.29 : mod_status buffer overflow
A race condition was found in modstatus. An attacker able to access a public server status page on a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a default or recommended configuration to have a public accessibl...
Apache Httpd < 2.4.26 : mod_mime Buffer Overread
modmime can read one byte past the end of a buffer when sending a malicious Content-Type response header...
Apache Httpd < 2.2.29 : HTTP Trailers processing bypass
HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. This fix adds the "MergeTrailers" directive to restore legacy behavior...
Apache Httpd < 2.4.26 : mod_ssl Null Pointer Dereference
modssl may dereference a NULL pointer when third-party modules call aphookprocessconnection during an HTTP request to an HTTPS port...
Apache Httpd < 2.4.53 : mod_lua Use of uninitialized value of in r:parsebody
A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier...
Apache Httpd < 2.4.26 : ap_get_basic_auth_pw() Authentication Bypass
Use of the apgetbasicauthpw by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use apgetbasicauthcomponents, available in 2.2.34 and 2.4.26, instead of apgetbasicauthpw. Modules which call the legacy...
Apache Httpd < 2.4.48 : mod_auth_digest possible stack overflow by one nul byte
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in modauthdigest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make i...
Apache Httpd < 2.4.39 : Apache HTTP Server privilege escalation from modules' scripts
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads including scripts executed by an in-process scripting interpreter could execute arbitrary code with the privileges of the parent process usually roo...
Apache Httpd < 2.4.39 : Apache httpd URL normalization inconsistincy
When the path component of a request URL contains multiple consecutive slashes '/', directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them...
Apache Httpd < 2.4.54 : read beyond bounds via ap_rwrite()
The aprwrite function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using aprwrite or aprputs, such as with modluas r:puts function. Modules compiled and distributed separately from Apache HTTP Server that use t...
Apache Httpd < 2.4.48 : mod_session NULL pointer dereference
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by modsession can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service...
Apache Httpd < 2.4.42 : mod_proxy_ftp use of uninitialized value
in Apache HTTP Server versions 2.4.0 to 2.4.41, modproxyftp use of uninitialized value with malicious FTP backend...
Apache Httpd < 2.4.54 : Denial of service in mod_lua r:parsebody
In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody0 may cause a denial of service due to no default limit on possible input size...
Apache Httpd < 2.4.49 : NULL pointer dereference in httpd core
Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier...
Apache Httpd < 2.4.54 : Information Disclosure in mod_lua with websockets
Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread that point past the end of the storage allocated for the buffer...
Apache Httpd < 2.4.44 : Push Diary Crash on Specifically Crafted HTTP/2 Header
In Apache HTTP Server versions 2.4.20 to 2.4.43, when trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of modhttp2 above "info" will mitigate...
Apache Httpd < 2.4.49 : Request splitting via HTTP/2 method injection and mod_proxy
A crafted method sent through HTTP/2 will bypass validation and be forwarded by modproxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48...
Apache Httpd < 2.4.48 : mod_proxy_wstunnel tunneling of non Upgraded connections
Apache HTTP Server versions 2.4.6 to 2.4.46 modproxywstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authenticati...
Apache Httpd < 2.4.39 : mod_auth_digest access control bypass
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in modauthdigest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions...
Apache Httpd < 2.4.12 : HTTP Trailers processing bypass
HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. This fix adds the "MergeTrailers" directive to restore legacy behavior...
Apache Httpd < 2.4.48 : Improper Handling of Insufficient Privileges
Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows...
Apache Httpd < 2.4.49 : mod_proxy_uwsgi out of bound read
A carefully crafted request uri-path can cause modproxyuwsgi to read above the allocated memory and crash DoS. This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 inclusive...
Apache Httpd < 2.4.25 : Padding Oracle in Apache mod_session_crypto
Prior to Apache HTTP release 2.4.25, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks,...
Apache Httpd < 2.4.27 : Uninitialized memory reflection in mod_auth_digest
The value placeholder in Proxy-Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by modauthdigest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior...
Apache Httpd < 2.4.28 : Use-after-free when using <Limit > with an unrecognized method in .htaccess ("OptionsBleed")
When an unrecognized HTTP Method is given in an directive in an .htaccess file, and that .htaccess file is processed by the corresponding request, the global methods table is corrupted in the current worker process, resulting in erratic behaviour. This behavior may be avoided by listing all unusu...