Apache Httpd < 2.4.35 : DoS for HTTP/2 connections by continuous SETTINGS

By sending continous SETTINGS frames of maximum size an ongoing HTTP/2 connection could be kept busy and would never time out. This can be abused for a DoS on the server. This only affect a server that has enabled the h2 protocol...

Apache Httpd < 2.4.34 : mod_md, DoS via Coredumps on specially crafted requests

By specially crafting HTTP requests, the modmd challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server...

Apache Httpd < 2.4.34 : DoS for HTTP/2 connections by crafted requests

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. This issue only affects servers that have configured and enabled HTTP/2 support, which is not the default...

Apache Httpd < 2.4.33 : Possible out of bound access after failure in reading the HTTP request

A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.33, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode both log and build level...

Apache Httpd < 2.4.33 : Possible out of bound read in mod_cache_socache

A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.33 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of modcachesocache...

Apache Httpd < 2.4.33 : Possible write of after free on HTTP/2 stream shutdown

When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.33 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerabilty hard to trigger in usual configurations, the reporter...

Apache Httpd < 2.4.33 : Out of bound write in mod_authnz_ldap when using too small Accept-Language values

modauthnzldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two...

Apache Httpd < 2.4.33 : <FilesMatch> bypass with a trailing newline in the file name

The expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename...

Apache Httpd < 2.4.33 : Tampering of mod_session data for CGI applications

When modsession is configured to forward its session data to CGI applications SessionEnv on, not the default, a remote user may influence their content by using a "Session" header. This comes from the "HTTPSESSION" variable name used by modsession to forward its data to CGIs, since the prefix...

Apache Httpd < 2.2.35-never : Use-after-free when using <Limit > with an unrecognized method in .htaccess ("OptionsBleed")

When an unrecognized HTTP Method is given in an directive in an .htaccess file, and that .htaccess file is processed by the corresponding request, the global methods table is corrupted in the current worker process, resulting in erratic behaviour. This behavior may be avoided by listing all unusu...

Apache Httpd < 2.4.28 : Use-after-free when using <Limit > with an unrecognized method in .htaccess ("OptionsBleed")

When an unrecognized HTTP Method is given in an directive in an .htaccess file, and that .htaccess file is processed by the corresponding request, the global methods table is corrupted in the current worker process, resulting in erratic behaviour. This behavior may be avoided by listing all unusu...

Apache Httpd < 2.4.27 : Read after free in mod_http2

When under stress, closing many connections, the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour...

Apache Httpd < 2.2.34 : Uninitialized memory reflection in mod_auth_digest

The value placeholder in Proxy-Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by modauthdigest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior...

Apache Httpd < 2.4.27 : Uninitialized memory reflection in mod_auth_digest

The value placeholder in Proxy-Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by modauthdigest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior...

Apache Httpd < 2.4.26 : ap_find_token() Buffer Overread

The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows apfindtoken to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force...

Apache Httpd < 2.2.34 : ap_find_token() Buffer Overread

The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows apfindtoken to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force...

Apache Httpd < 2.4.26 : ap_get_basic_auth_pw() Authentication Bypass

Use of the apgetbasicauthpw by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use apgetbasicauthcomponents, available in 2.2.34 and 2.4.26, instead of apgetbasicauthpw. Modules which call the legacy...

Apache Httpd < 2.2.34 : ap_get_basic_auth_pw() Authentication Bypass

Use of the apgetbasicauthpw by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use apgetbasicauthcomponents, available in 2.2.34 and 2.4.26, instead of apgetbasicauthpw. Modules which call the legacy...

Apache Httpd < 2.4.26 : mod_ssl Null Pointer Dereference

modssl may dereference a NULL pointer when third-party modules call aphookprocessconnection during an HTTP request to an HTTPS port...

Apache Httpd < 2.2.34 : mod_ssl Null Pointer Dereference

modssl may dereference a NULL pointer when third-party modules call aphookprocessconnection during an HTTP request to an HTTPS port...

Apache Httpd < 2.4.25 : HTTP/2 CONTINUATION denial of service

The HTTP/2 protocol implementation modhttp2 had an incomplete handling of the LimitRequestFields directive. This allowed an attacker to inject unlimited request headers into the server, leading to eventual memory exhaustion...

Apache Httpd < 2.4.26 : mod_http2 Null Pointer Dereference

A maliciously constructed HTTP/2 request could cause modhttp2 to dereference a NULL pointer and crash the server process...

Apache Httpd < 2.4.25 : IP address spoofing when proxying using mod_remoteip and mod_rewrite

For configurations using proxying with modremoteip and certain modrewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020...

Apache Httpd < 2.4.25 : mod_userdir CRLF injection

Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value...

Apache Httpd < 2.2.32 : mod_userdir CRLF injection

Possible CRLF injection allowing HTTP response splitting attacks for sites which use moduserdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value...

Apache Httpd < 2.4.25 : DoS vulnerability in mod_auth_digest

Malicious input to modauthdigest will cause the server to crash, and each instance continues to crash even for subsequently valid requests...

Apache Httpd < 2.2.32 : HTTP_PROXY environment variable "httpoxy" mitigation

HTTPPROXY is a well-defined environment variable in a CGI process, which collided with a number of libraries which failed to avoid colliding with this CGI namespace. A mitigation is provided for the httpd CGI environment to avoid populating the "HTTPPROXY" variable from a "Proxy:" header, which h...

Apache Httpd < 2.4.25 : HTTP_PROXY environment variable "httpoxy" mitigation

HTTPPROXY is a well-defined environment variable in a CGI process, which collided with a number of libraries which failed to avoid colliding with this CGI namespace. A mitigation is provided for the httpd CGI environment to avoid populating the "HTTPPROXY" variable from a "Proxy:" header, which h...

Apache Httpd < 2.4.23 : TLS/SSL X.509 client certificate auth bypass with HTTP/2

For configurations enabling support for HTTP/2, SSL client certificate validation was not enforced if configured, allowing clients unauthorized access to protected resources over HTTP/2. This issue affected releases 2.4.18 and 2.4.20 only...

Apache Httpd < 2.4.25 : Apache HTTP Request Parsing Whitespace Defects

Apache HTTP Server, prior to release 2.4.25 and 2.2.32, accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines...

Apache Httpd < 2.2.32 : Apache HTTP Request Parsing Whitespace Defects

Apache HTTP Server, prior to release 2.4.25 and 2.2.32, accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines...

Apache Httpd < 2.4.20 : mod_http2: denial of service by thread starvation

By manipulating the flow control windows on streams, a client was able to block server threads for long times, causing starvation of worker threads. Connections could still be opened, but no streams where processed for these. This issue affected HTTP/2 support in 2.4.17 and 2.4.18...

Apache Httpd < 2.4.25 : Padding Oracle in Apache mod_session_crypto

Prior to Apache HTTP release 2.4.25, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks,...

Apache Httpd < 2.2.34 : mod_mime Buffer Overread

modmime can read one byte past the end of a buffer when sending a malicious Content-Type response header...

Apache Httpd < 2.4.26 : mod_mime Buffer Overread

modmime can read one byte past the end of a buffer when sending a malicious Content-Type response header...

Apache Httpd < 2.2.31 : HTTP request smuggling attack against chunked request parser

An HTTP request smuggling attack was possible due to a bug in parsing of chunked requests. A malicious client could force the server to misinterpret the request length, allowing cache poisoning or credential hijacking if an intermediary proxy is in use...

Apache Httpd < 2.4.16 : HTTP request smuggling attack against chunked request parser

An HTTP request smuggling attack was possible due to a bug in parsing of chunked requests. A malicious client could force the server to misinterpret the request length, allowing cache poisoning or credential hijacking if an intermediary proxy is in use...

Apache Httpd < 2.4.16 : Crash in ErrorDocument 400 handling

A crash in ErrorDocument handling was found. If ErrorDocument 400 was configured pointing to a local URL-path with the INCLUDES filter active, a NULL dereference would occur when handling the error, causing the child process to crash. This issue affected the 2.4.12 release only...

Apache Httpd < 2.4.16 : mod_lua: Crash in websockets PING handling

A stack recursion crash in the modlua module was found. A Lua script executing the r:wsupgrade function could crash the process if a malicious client sent a carefully crafted PING request. This issue affected releases 2.4.7 through 2.4.12 inclusive...

Apache Httpd < 2.4.12 : mod_lua multiple "Require" directive handling is broken

Fix handling of the Require line in modlua when a LuaAuthzProvider is used in multiple Require directives with different arguments. This could lead to different authentication rules than expected...

Apache Httpd < 2.4.12 : mod_proxy_fcgi out-of-bounds memory read

An out-of-bounds memory read was found in modproxyfcgi. A malicious FastCGI server could send a carefully crafted response which could lead to a crash when reading past the end of a heap memory or stack buffer. This issue affects version 2.4.10 only...

Apache Httpd < 2.4.12 : mod_cache crash with empty Content-Type header

A NULL pointer deference was found in modcache. A malicious HTTP server could cause a crash in a caching forward proxy configuration. This crash would only be a denial of service if using a threaded MPM...

Apache Httpd < 2.4.10 : WinNT MPM denial of service

A flaw was found in the WinNT MPM in httpd versions 2.4.1 to 2.4.9, when using the default AcceptFilter for that platform. A remote attacker could send carefully crafted requests that would leak memory and eventually lead to a denial of service against the server...

Apache Httpd < 2.4.10 : mod_cgid denial of service

A flaw was found in modcgid. If a server using modcgid hosted CGI scripts which did not consume standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service...

Apache Httpd < 2.2.29 : mod_cgid denial of service

A flaw was found in modcgid. If a server using modcgid hosted CGI scripts which did not consume standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service...

Apache Httpd < 2.2.29 : mod_status buffer overflow

A race condition was found in modstatus. An attacker able to access a public server status page on a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a default or recommended configuration to have a public accessibl...

Apache Httpd < 2.4.10 : mod_status buffer overflow

A race condition was found in modstatus. An attacker able to access a public server status page on a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a default or recommended configuration to have a public accessibl...

Apache Httpd < 2.4.10 : mod_proxy denial of service

A flaw was found in modproxy in httpd versions 2.4.6 to 2.4.9. A remote attacker could send a carefully crafted request to a server configured as a reverse proxy, and cause the child process to crash. This could lead to a denial of service against a threaded MPM...

Apache Httpd < 2.2.27 : mod_log_config crash

A flaw was found in modlogconfig. A remote attacker could send a specific truncated cookie causing a crash. This crash would only be a denial of service if using a threaded MPM...

Apache Httpd < 2.4.9 : mod_log_config crash

A flaw was found in modlogconfig. A remote attacker could send a specific truncated cookie causing a crash. This crash would only be a denial of service if using a threaded MPM...