330 matches found
CVE-2006-20001
CVE-2006-20001 affects Apache HTTP Server 2.4.54 and earlier. The issue is triggered by a crafted If: header that can read memory or write a single zero byte in heap memory beyond the header value, potentially crashing the process. Industry advisories confirm the vulnerability in Apache httpd and...
CVE-2016-8743
The CVE-2016-8743 issue affects Apache HTTP Server. It concerns how whitespace is accepted in requests and sent in response lines and headers in all releases before 2.2.32 and 2.4.25. The root problem is liberal whitespace handling, which can enable request smuggling, response splitting, and cach...
CVE-2021-42013
Summary: CVE-2021-42013 covers an incomplete fix to CVE-2021-41773 in Apache HTTP Server 2.4.49/2.4.50. Root cause: path traversal vulnerabilities in the 2.4.50 fix could map URLs outside configured directories; if CGI is enabled for aliased paths, remote code execution could occur. Affected vers...
CVE-2019-0196
The CVE-2019-0196 issue affects Apache HTTP Server 2.4.x (noted in several advisories) where the http/2 request handling could access freed memory during a string comparison to determine the request method, potentially causing incorrect request processing. This is tied to mod_http2 and is describ...
CVE-2022-30556
The CVE-2022-30556 issue affects Apache HTTP Server (2.4.53 and earlier) where the wsread path may return a pointer past the end of the buffer, enabling information disclosure via websockets. Public references in connected sources corroborate: (1) industry advisories note an information disclosur...
CVE-2019-0197
The CVE-2019-0197 entry concerns Apache HTTP Server 2.4.34–2.4.38. When HTTP/2 is enabled for an http: host or H2Upgrade is enabled for h2 on an https: host, an Upgrade request from http/1.1 to http/2 that is not the first request on a connection could cause misconfiguration and crash. Servers th...
CVE-2022-22719
Summary (CVE-2022-22719) Affects Apache HTTP Server (httpd) 2.4.52 and earlier. The issue arises in the httpd mod_lua component where an uninitialized value in r:parsebody can cause a read to a random memory area, potentially leading to a crash and availability impact. Connected advisories confir...
CVE-2014-0226
Apache HTTP Server CVE-2014-0226 is a race-condition vulnerability in the mod_status component that can cause a heap-based buffer overflow, denial of service, and potentially credential disclosure or code execution. Affects httpd before 2.4.10; the issue arises from improper scoreboard handling i...
CVE-2014-0231
The CVE-2014-0231 issue affects the Apache HTTP Server mod_cgid module, specifically versions before 2.4.10. A missing timeout mechanism allows a remote attacker to trigger a denial of service by sending a request to a CGI script that does not read from stdin, causing the process to hang. This vu...
CVE-2014-8109
CVE-2014-8109 affects the Apache HTTP Server 2.3.x and 2.4.x up to 2.4.10, where mod_lua.c does not properly handle an httpd configuration using the same Lua authorization provider with different arguments across contexts. This can allow remote attackers to bypass access restrictions via multiple...
CVE-2021-26690
CVE-2021-26690 affects Apache HTTP Server 2.4.0–2.4.46 due to a NULL pointer dereference in mod_session when parsing a crafted Cookie header, leading to Denial of Service. Public advisories and vendor pages confirm a patch exists in newer httpd releases (e.g., 2.4.46+/2.4.51 in various distributi...
CVE-2021-34798
CVE-2021-34798 is a vulnerability in Apache HTTP Server where malformed requests may cause a NULL pointer dereference in the httpd core. The issue affects Apache HTTP Server 2.4.48 and earlier, and the resulting crash can lead to a Denial of Service. Multiple connected advisories confirm the same...
CVE-2013-2249
CVE-2013-2249 concerns Apache HTTP Server’s mod_session_dbd. The issue arises when mod_session_dbd proceeds with save operations for a session without honoring the dirty flag or requiring a new session ID, as described in multiple sources. Public references indicate the vulnerability is associate...
CVE-2024-40898
The CVE-2024-40898 entry describes an SSRF vulnerability in Apache HTTP Server on Windows when using mod_rewrite in the server/vhost context. The issue can allow leaking NTLM hashes to a malicious server via crafted requests. Affected software is Apache HTTP Server; the remediation is to upgrade ...
CVE-2014-0098
CVE-2014-0098 affects the Apache HTTP Server (mod_log_config) prior to version 2.4.8. The vulnerability is caused by how log_cookie is handled during truncation, allowing remote attackers to trigger a denial-of-service (segmentation fault and daemon crash). Public advisories and vendor notes (e.g...
CVE-2019-10081
CVE-2019-10081 affects Apache httpd's HTTP/2 implementation (mod_http2) where very early pushes can overwrite memory in the pushing request’s pool, causing crashes. The vulnerable facet is the handling of push headers (not client data) and memory being copied from the configured push link header ...
CVE-2022-26377
CVE-2022-26377 is a real HTTP Request Smuggling vulnerability in the mod_proxy_ajp module of Apache HTTP Server. Affected: Apache httpd 2.4.53 and earlier. Description across sources confirms that an attacker can smuggle requests to the AJP server to which httpd forwards traffic. Patches/updates ...
CVE-2024-38475
CVE-2024-38475 affects Apache HTTP Server 2.4.59 and earlier, where improper escaping of output in mod_rewrite can map URLs to filesystem locations that are served but not directly reachable, enabling remote code execution or source code disclosure. The issue also involves substitutions in server...
CVE-2016-0736
CVE-2016-0736 affects Apache HTTP Server’s mod_session_crypto (2.4.0–2.4.23). It used CBC/ECB modes (AES256-CBC by default) without authenticated encryption, enabling padding oracle-style attacks. The fix is to upgrade to Apache HTTPD 2.4.25 (or later) where mod_session_crypto is updated to authe...
CVE-2019-17567
CVE-2019-17567 affects Apache HTTP Server 2.4.x where mod_proxy_wstunnel on a URL not guaranteed to be upgraded by the origin server tunnels the entire connection, allowing subsequent requests on the same TCP connection to bypass HTTP validation, authentication, or authorization. Public reference...
CVE-2013-6438
The vulnerability CVE-2013-6438 affects the Apache HTTP Server mod_dav component. The flaw is in dav_xml_get_cdata (main/util.c) where whitespace is not correctly removed from CDATA sections, enabling a remote attacker to trigger a denial of service (daemon crash) with a crafted DAV WRITE request...
CVE-2021-33193
CVE-2021-33193 describes a vulnerability in Apache HTTP Server where a crafted HTTP/2 method can bypass validation and be forwarded by mod_proxy, potentially enabling request splitting or cache poisoning. The issue affects Apache httpd versions 2.4.17 through 2.4.48. Connected advisories and noti...
CVE-2016-2161
CVE-2016-2161 affects Apache HTTP Server 2.4.0–2.4.23 in the mod_auth_digest pathway. Malicious input to mod_auth_digest could cause the server to crash, and subsequent valid requests could still trigger crashes. The connected advisory pages confirm Apache’s fix to 2.4.25 (and related advisories)...
CVE-2022-28614
CVE-2022-28614 affects Apache HTTP Server 2.4.53 and earlier. The vulnerability stems from ap_rwrite() potentially reading unintended memory when reflecting very large input via ap_rwrite() or ap_rputs(), notably with mod_luas r:puts(). Modules compiled against older headers that use ap_rputs may...
CVE-2022-29404
CVE-2022-29404 affects Apache HTTP Server 2.4.53 and earlier. The vulnerability lies in the mod_lua code path: a malicious request to a Lua script calling r:parsebody(0) can cause a denial of service due to no default input size limit. Impact is DoS (availability) with network exposure; no data c...
CVE-2018-11763
CVE-2018-11763 affects Apache HTTP Server 2.4.17–2.4.34 and targets the HTTP/2 implementation. The issue arises when a client sends continuous, large SETTINGS frames, allowing a single connection to occupy a server thread and CPU time without triggering a connection timeout. Impact is limited to ...
CVE-2023-27522
CVE-2023-27522 affects Apache HTTP Server (httpd) versions 2.4.30–2.4.55 via mod_proxy_uwsgi. The issue is HTTP Response Smuggling where special characters in the origin response header can truncate or split the response forwarded to the client. AlmaLinux and ALAS advisories explicitly reference ...
CVE-2015-3185
CVE-2015-3185 affects Apache HTTP Server (httpd) 2.4.x up to before 2.4.14. The ap_some_auth_required() function in server/request.c could incorrectly treat a request as authenticated, allowing modules using this API to bypass intended access controls. The issue’s fix/backport is described as imp...
CVE-2020-11985
CVE-2020-11985 – Apache HTTP Server spoofing via proxying with mod_remoteip and mod_rewrite is documented in the initial CVE entry and corroborated by connected sources. Affected behavior: an attacker could spoof their IP address for logs and PHP scripts when proxying through mod_remoteip with ce...
CVE-2016-5387
CVE-2016-5387 affects Apache httpd prior to 2.4.25, where RFC 3875 compliance allows untrusted HTTP_PROXY data to influence outbound proxy selection via a crafted Proxy header (the httpoxy issue). Public docs indicate the issue arises from the HTTP_PROXY environment variable being exposed to appl...
CVE-2021-36160
CVE-2021-36160 affects Apache HTTP Server mod_proxy_uwsgi. A crafted request URI-path can cause mod_proxy_uwsgi to read beyond allocated memory, triggering a DoS. The issue is reported for Apache httpd versions 2.4.30–2.4.48. Public sources in connected documents corroborate the impact as an out-...
CVE-2019-10097
CVE-2019-10097 affects Apache HTTP Server 2.4.32–2.4.39 when mod_remoteip is configured to use a trusted intermediary proxy server via the PROXY protocol. A specially crafted PROXY header can trigger a stack buffer overflow or NULL pointer dereference, potentially crashing the server or impacting...
CVE-2023-45802
CVE-2023-45802 describes a memory‑leak condition in HTTP/2 handling: when a client resets a stream, memory deallocation is deferred until connection close, allowing a connection to accumulate memory usage over time. Astra Linux security notes reproduce the issue description and cite a fix in Apac...
CVE-2023-31122
CVE-2023-31122 is an out-of-bounds read vulnerability in Apache HTTP Server’s mod_macro affecting versions up to 2.4.57. Connected advisories (Debian, AlmaLinux, Amazon Linux, CIRCL sighting) confirm multiple distro advisories have issued patches and upgrades (e.g., Debian 2.4.59 fixes; AlmaLinux...
CVE-2014-0118
CVE-2014-0118 affects the Apache HTTP Server mod_deflate: the deflate_in_filter in mod_deflate.c allows remote denial-of-service when request body decompression is enabled, by processing crafted data that expands to a large size. Affected versions are Apache httpd prior to 2.4.10. Impact is resou...
CVE-2019-0215
CVE-2019-0215 affects Apache HTTP Server 2.4.37–2.4.38. A bug in mod_ssl for per-location client certificate verification with TLSv1.3 allowed bypass of configured access controls. Impact is access restriction bypass; no explicit exploitation details provided here. Remediation: upgrade to 2.4.39 ...
CVE-2012-3499
CVE-2012-3499 affects Apache HTTP Server 2.2.x (pre-2.2.24-dev) and 2.4.x (pre-2.4.4). The issue comprises multiple XSS flaws in modules including mod_imagemap, mod_info, mod_ldap, mod_proxy_ftp, and mod_status. An attacker can inject arbitrary web script/HTML via crafted Host header or URI-relat...
CVE-2012-0883
CVE-2012-0883 affects the Apache HTTP Server up to version 2.4.2, where the envvars (envvars-std) feature places a zero-length directory name in LD_LIBRARY_PATH. This enables local users to gain privileges by exploiting a Trojan horse DSO in the current working directory during execution of apach...
CVE-2009-3555
CVE-2009-3555 concerns a TLS/SSL renegotiation flaw where renegotiation handshakes were not properly associated with the existing connection, enabling MITM data insertion in HTTPS and other TLS/SSL sessions (Project Mogul). Connected advisories show concrete mitigations and affected software: Pou...
CVE-2018-1333
CVE-2018-1333 affects Apache HTTP Server. By specially crafting HTTP/2 requests, workers could be allocated 60 seconds longer than necessary, causing worker exhaustion and denial of service. Affected versions: 2.4.18–2.4.30 and 2.4.33; fixed in 2.4.34. The vulnerability originates from the HTTP/2...
CVE-2012-2687
Apache HTTP Server 2.4.x before 2.4.3 is affected by CVE-2012-2687 due to XSS in the mod_negotiation make_variant_list function (mod_negotiation.c) when MultiViews is enabled. The vulnerability arises from improper handling of crafted filenames during variant list construction, allowing remote at...
CVE-2013-1896
The CVE-2013-1896 issue affects the Apache HTTP Server: mod_dav.c fails to correctly determine if DAV is enabled for a URI, allowing a remote attacker to trigger a segfault via a MERGE request when the URI is handled by mod_dav_svn and the href in the XML data points to a non-DAV URI. This can le...
CVE-2003-1418
CVE-2003-1418 affects Apache HTTP Server 1.3.22–1.3.27 on OpenBSD. The root cause is information disclosure via (1) ETag headers that reveal inode numbers and (2) multipart MIME boundaries that reveal child process IDs (PIDs). Practical impact is partial information disclosure that can aid reconn...
CVE-2024-38477
CVE-2024-38477 affects Apache HTTP Server 2.4.59 and earlier. The issue is a null pointer dereference in mod_proxy triggered by a malicious request, which can crash the server (Denial of Service). The published remediation is to upgrade to Apache HTTP Server 2.4.60, which fixes the issue. The CVE...
CVE-2021-30641
CVE-2021-30641 affects Apache HTTP Server 2.4.39–2.4.46 with unexpected matching behavior when MergeSlashes OFF. Connected sources indicate patched versions: Debian fixes in 2.4.38-based packages, AlmaLinux/RedHat advisories reference a fix in Apache 2.4.51 for supported Check Point versions, and...
CVE-2020-13950
CVE-2020-13950 affects Apache HTTP Server (httpd) mod_proxy_http, with versions 2.4.41–2.4.46 vulnerable to a NULL pointer dereference triggered by specially crafted requests using both Content-Length and Transfer-Encoding headers, causing Denial of Service. Connected documents confirm impact as ...
CVE-2012-0053
CVE-2012-0053 affects Apache HTTP Server 2.2.x up to 2.2.21. The flaw in protocol.c during 400 error page construction can reveal HTTPOnly cookie values via long/malformed headers with crafted scripts. Remediation per advisories: upgrade to 2.2.22 or later (e.g., httpd 2.2.22).
CVE-2018-1301
CVE-2018-1301 affects the Apache HTTP Server (httpd) prior to 2.4.30, caused by an out-of-bounds access after a size limit is reached when reading the HTTP header. Impact described as a crash (low risk for normal usage). Affected component is httpd’s HTTP header parsing; root cause is an out-of-b...
CVE-2014-0117
The vulnerability CVE-2014-0117 affects the Apache HTTP Server, specifically the mod_proxy behavior in the 2.4.x line prior to 2.4.10. When a reverse proxy is enabled, a remote attacker can craft an HTTP Connection header to trigger a denial of service (child process crash). This is documented ac...
CVE-2018-1303
CVE-2018-1303: An out-of-bounds read in mod_cache_socache could crash the Apache HTTP Server prior to 2.4.30, enabling a DoS against users of httpd. The issue is discussed across multiple advisories (Debian/ALT Linux/Arch Linux security notes and CentOS RH advisories) and is attributed to imprope...