Lucene search

Http Server Security Vulnerabilities - 2021

cve

CVE-2021-2315

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle H...

5.4CVSS

5.2AI Score

0.001EPSS

2021-04-22 10:15 PM

cve

CVE-2021-2480

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener). The supported version that is affected is 11.1.1.9.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful a...

3.7CVSS

3.6AI Score

0.001EPSS

2021-10-20 11:16 AM

cve

CVE-2021-25219

In BIND 9.3.0 -> 9.11.35, 9.12.0 -> 9.16.21, and versions 9.9.3-S1 -> 9.11.35-S1 and 9.16.8-S1 -> 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw...

5.3CVSS

5.6AI Score

0.007EPSS

2021-10-27 09:15 PM

627

cve

CVE-2021-34798

Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

7.5CVSS

8.6AI Score

0.006EPSS

2021-09-16 03:15 PM

1519

cve

CVE-2021-35666

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: OSSL Module). The supported version that is affected is 11.1.1.9.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle HTTP Server. Successful a...

5.9CVSS

5.6AI Score

0.002EPSS

2021-10-20 11:17 AM

cve

CVE-2021-35940

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

7.1CVSS

7AI Score

0.001EPSS

2021-08-23 10:15 AM

153

cve

CVE-2021-36160

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

7.5CVSS

8.4AI Score

0.002EPSS

2021-09-16 03:15 PM

1187

In Wild

cve

CVE-2021-39275

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

9.8CVSS

9.7AI Score

0.006EPSS

2021-09-16 03:15 PM

5628

cve

CVE-2021-40438

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

9CVSS

9.3AI Score

0.967EPSS

2021-09-16 03:15 PM

3928

In Wild

cve

CVE-2021-41617

sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with gr...

7CVSS

7.5AI Score

0.001EPSS

2021-09-26 07:15 PM

12483

cve

CVE-2021-4181

Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file

7.5CVSS

7.4AI Score

0.004EPSS

2021-12-30 10:15 PM

113

cve

CVE-2021-4182

Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file

7.5CVSS

7.4AI Score

0.002EPSS

2021-12-30 10:15 PM

118

cve

CVE-2021-4183

Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of service via crafted capture file

5.5CVSS

6AI Score

0.001EPSS

2021-12-30 10:15 PM

789

cve

CVE-2021-4184

Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file

7.5CVSS

7.4AI Score

0.003EPSS

2021-12-30 10:15 PM

125

cve

CVE-2021-4185

Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file

7.5CVSS

7.4AI Score

0.003EPSS

2021-12-30 10:15 PM

119

cve

CVE-2021-42717

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worke...

7.5CVSS

7.3AI Score

0.004EPSS

2021-12-07 10:15 PM

cve

CVE-2021-43818

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant co...

8.2CVSS

7AI Score

0.007EPSS

2021-12-13 06:15 PM

334

cve

CVE-2021-44224

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forger...

8.2CVSS

8.9AI Score

0.312EPSS

2021-12-20 12:15 PM

2075

cve

CVE-2021-44790

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earl...

9.8CVSS

9.7AI Score

0.109EPSS

2021-12-20 12:15 PM

5936