CVE-2013-1862

CVE-2013-1862 affects Apache HTTP Server 2.2.x up to 2.2.24, where mod_rewrite writes log data without sanitizing non‑printable characters. This can allow a remote attacker to execute arbitrary commands by sending an HTTP request containing an escape sequence for a terminal emulator, with some so...

CVE-2018-17189

CVE-2018-17189 : In Apache HTTP Server 2.4.37 and earlier, mod_http2 can cause a DoS by handling slowloris-style request bodies, unnecessarily occupying a server thread for the h2 stream on HTTP/2 connections. Affected product: Apache HTTP Server with mod_http2. Impact: denial of service via thre...

CVE-2012-4558

CVE-2012-4558 is an XSS vulnerability in Apache HTTP Server's balancer_handler (mod_proxy_balancer). Remote attackers can inject arbitrary web script/HTML via a crafted string in the manager interface for Apache 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4. Impact is arbitrary script execution ...

CVE-2025-23048

Affected software: Apache HTTP Server (httpd). CVE-2025-23048 describes an access-control bypass in mod_ssl when TLS 1.3 session resumption is used in configurations with multiple virtual hosts, each with different trusted client certificates; a client trusted for one vhost could access another i...

CVE-2011-4415

The CVE-2011-4415 issue affects the Apache HTTP Server (2.0.x up to 2.0.64 and 2.2.x up to 2.2.21) when mod_setenvif is enabled. The root cause is an integer overflow in ap_pregsub during environment variable handling (SetEnvIf), with a crafted .htaccess and HTTP header causing memory exhaustion ...

CVE-2011-3368

CVE-2011-3368 affects the Apache HTTP Server’s mod_proxy in reverse-proxy configurations. The vulnerability arises when using (1) RewriteRule with the [P] flag or (2) ProxyPassMatch; a remote attacker can craft a URI starting with an initial @ character to force the proxy to connect to an interna...

CVE-2005-2700

This CVE concerns the Apache mod_ssl module (ssl_engine_kernel.c) where configuring SSLVerifyClient optional at global vhost level fails to enforce SSLVerifyClient require in per-location contexts. Attackers could bypass intended access restrictions by omitting a client certificate. Affected comp...

CVE-2018-1302

Apache HTTP Server (httpd) before 2.4.30 may write a NULL pointer to freed memory when an HTTP/2 stream is destroyed after handling. This is described as low risk and hard to trigger in standard configurations, with no reproducibility outside debug builds. Affected releases include older 2.4.x li...

CVE-2024-38473

The CVE-2024-38473 issue affects Apache HTTP Server (mod_proxy) in versions up to 2.4.59, where improper/encoded request URL handling can allow requests to reach backends and potentially bypass authentication. Public references and advisories state the vulnerability arises from encoding problems ...

CVE-2020-13938

CVE-2020-13938 affects Apache HTTP Server 2.4.0–2.4.46. The vulnerability allows unprivileged local users to stop the httpd service on Windows. The connected sources confirm the affected product family and the local-access impact, with public advisories referencing Microsoft Windows behavior and ...

CVE-2014-3523

CVE-2014-3523 corresponds to a memory leak in the WinNT MPM of Apache HTTP Server 2.4.x on Windows. Specifically, when AcceptFilter is enabled, the winnt_accept function in server/mpm/winnt/child.c can leak memory under crafted requests, leading to denial of service. The vulnerability is tied to ...

CVE-2022-30522

CVE-2022-30522 affects Apache HTTP Server mod_sed; when input to mod_sed is very large, it can cause excessive memory allocations and aborts, impacting availability. The issue is documented across multiple feeds (e.g., CVE page for 2.4.53 context and later advisories) and is addressed by updating...

CVE-2009-1891

CVE-2009-1891 affects the Apache HTTP Server mod_deflate in 2.2.x (notably 2.2.11 and earlier). The issue causes CPU consumption DoS by compressing large files even after the client connection closes. Public advisories across distributions confirm the flaw and its remediation via updated packages...

CVE-2013-5704

CVE-2013-5704 concerns the Apache HTTP Server mod_headers trailer-header bypass vulnerability. The issue arises when a client places headers in the trailer portion of a chunked request, potentially bypassing RequestHeader unset directives and allowing header manipulation after header processing. ...

CVE-2024-39573

The CVE-2024-39573 entry corresponds to Apache HTTP Server mod_rewrite/mod_proxy SSRF-related risk and is confirmed by connected sources reporting the issue in Apache httpd 2.4.59 and earlier, with a fix in 2.4.60 (and later 2.4.61 in later advisories). Root cause: unsafe RewriteRules/Substitutio...

CVE-2011-4317

The CVE-2011-4317 issue concerns Apache HTTP Server in reverse proxy configurations (ProxyPassMatch/RewriteRule with [P]). It enables remote access to intranet servers via a malformed URI containing @ and : when the Revision 1179239 patch is applied, reflecting an incomplete fix for CVE-2011-3368...

CVE-2024-38472

CVE-2024-38472 : Apache HTTP Server on Windows is vulnerable to server-side request forgery (SSRF) that could leak NTLM hashes to a malicious server via crafted requests, due to improper validation of Windows UNC/UNC paths. The issue is addressed by upgrading to Apache HTTP Server 2.4.60 (as note...

CVE-2015-3183

CVE-2015-3183 affects the Apache HTTP Server (httpd) via a bug in parsing chunked transfer encoding headers, enabling HTTP request smuggling when handling large chunk sizes or invalid chunk extensions (related to modules/http/http_filters.c). The issue is fixed in downstream advisories and patche...

CVE-2012-0031

CVE-2012-0031 affects Apache HTTP Server 2.2.21 and earlier, specifically scoreboard.c. The vulnerability allows local users to cause a denial of service (daemon crash during shutdown) or potentially other unspecified impact by modifying a type field in a shared scoreboard Memory segment, which l...

CVE-2025-58098

CVE-2025-58098 affects Apache HTTP Server 2.4.65 and earlier when Server Side Includes (SSI) is enabled and mod_cgid (not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives, enabling potential command injection. The issue impacts Apache HTTP Server before 2.4.66; remedia...

CVE-2011-3607

The CVE-2011-3607 issue affects the Apache HTTP Server 2.0.x (up to 2.0.64) and 2.2.x (up to 2.2.21) when mod_setenvif is enabled. An integer overflow in ap_pregsub() in server/util.c can cause a heap-based buffer overflow, enabling local privilege escalation via a crafted .htaccess SetEnvIf dire...

CVE-2011-3639

CVE-2011-3639 affects the Apache HTTP Server mod_proxy when using reverse proxy configurations (RewriteRule/ProxyPassMatch). The initial fix for CVE-2011-3368 did not fully address the issue, allowing a remote attacker to connect to an intranet/hidden server by sending HTTP/0.9 with a malformed U...

CVE-2010-0408

CVE-2010-0408 affects the Apache HTTP Server 2.2.x prior to 2.2.15. The ap_proxy_ajp_request function in mod_proxy_ajp.c mishandles requests when a client sends no request body, allowing remote attackers to trigger a denial of service (backend server outage) by crafting a request. The issue is re...

CVE-2013-4352

CVE-2013-4352 affects Apache HTTP Server (httpd) 2.4.x, specifically the mod_cache cache_storage.c: the cache_invalidate path in forward proxy caching can trigger a NULL pointer dereference, crashing the httpd and causing a Denial of Service. Public disclosures tie this to Apache httpd 2.4.6; mul...

CVE-2010-1452

CVE-2010-1452 affects Apache HTTP Server 2.2.x (before 2.2.16) via the mod_cache and mod_dav components. A request that lacks a path can crash the server, causing a denial of service. Debian advisories and related vendor notes confirm the issue and describe fixes/upgrades to 2.2.16 (and subsequen...

CVE-2022-28330

CVE-2022-28330 affects Apache HTTP Server 2.4.53 and earlier on Windows, describing an out-of-bounds read when processing requests with the mod_isapi module. Public references in ALAS advisories indicate the fix is included in httpd 2.4.54 (and related ALT Linux advisories). Mitigation requires u...

CVE-2011-0419

CVE-2011-0419 is a stack consumption/DoS vulnerability in the APR library’s fnmatch implementation (apr_fnmatch.c) and, for some platforms, in libc’s fnmatch.c. It affects APR < 1.4.3 and Apache HTTP Server

CVE-2015-0228

Apache HTTP Server mod_lua contains a Denial of Service vulnerability in lua_websocket_read (lua_request.c) affecting versions up to 2.4.12. A remote attacker can crash a child process by sending a crafted WebSocket Ping frame after a Lua script has invoked wsupgrade. The provided documents confi...

CVE-2017-12171

CVE-2017-12171 is a vulnerability reported for Red Hat Enterprise Linux 6.9 with httpd 2.2.15-60. The regression causes comments in the Allow and Deny directives to be parsed incorrectly, potentially allowing a remote attacker to bypass access controls and gain access to a restricted HTTP resourc...

CVE-2009-1890

CVE-2009-1890 affects Apache HTTP Server when used as a reverse proxy. The mod_proxy_http.c mechanism can fail to correctly bound a stream when Content-Length is exceeded, causing a denial-of-service via CPU exhaustion from crafted requests. The issue is specific to the reverse-proxy path in mod_...

CVE-2011-3348

The CVE-2011-3348 issue affects the Apache HTTP Server’s mod_proxy_ajp in combination with mod_proxy_balancer, where certain configurations allow remote attackers to trigger a denial of service by sending a malformed HTTP request. The vulnerability is described as causing a temporary error state ...

CVE-2014-3583

CVE-2014-3583 affects Apache HTTP Server 2.4.10 and earlier, where the handle_headers function in mod_proxy_fcgi.c can be triggered by long response headers to cause a denial of service (buffer over-read and daemon crash). The vulnerability stems from the proxy/Fcgi header handling in mod_proxy_f...

CVE-2021-31618

CVE-2021-31618 affects the Apache httpd mod_http2 component. The issue is a NULL pointer dereference in the HTTP/2 header handling when size limits are violated, leading to denial of service by crashing the httpd worker process. Affected releases include mod_http2 1.15.17 and Apache httpd 2.4.47 ...

CVE-2025-59775

CVE-2025-59775 : SSRF in Apache HTTP Server on Windows when AllowEncodedSlashes On and MergeSlashes Off can leak NTLM hashes to a malicious server. Affected: Apache HTTP Server (Windows). Root cause: SSRF via UNC/NTLM-related handling as described in multiple security bulletins. Remediation: upgr...

CVE-1999-1412

CVE-1999-1412 describes a DoS risk from an interaction between MacOS X 1.0 and Apache HTTP server, where a flood of HTTP GET requests to CGI programs can spawn many processes on affected systems. Connected sources provide concrete details indicating the issue relates to the Apache httpd component...

CVE-2023-43622

CVE-2023-43622 affects Apache HTTP Server via the mod_http2 implementation. An attacker opening an HTTP/2 connection with an initial window size of 0 could block handling of that connection indefinitely, potentially exhausting server worker resources in a pattern similar to the slow loris attack....

CVE-2016-4979

CVE-2016-4979 affects Apache HTTP Server 2.4.18–2.4.20 when mod_http2 and mod_ssl are enabled; it fails to recognize the SSLVerifyClient require directive for HTTP/2 request authorization, enabling bypass of access restrictions by abusing multiple requests on a single connection and renegotiation...

CVE-2021-41524

CVE-2021-41524 affects Apache HTTP Server (httpd) 2.4.49, where a null pointer dereference during HTTP/2 request processing can allow external sources to cause a DoS. The flaw was introduced with 2.4.49; no public exploit is shown in the documents. Check Point’s November 2021 advisory maps this C...

CVE-2017-7659

The CVE-2017-7659 issue affects the Apache HTTP Server (mod_http2) where a malicious HTTP/2 request could dereference a NULL pointer and crash the server process. Concrete details across connected docs show this vulnerability in Apache httpd before a fixed release (2.4.26) and are addressed by va...

CVE-2016-8740

CVE-2016-8740 affects Apache HTTP Server mod_http2 when Protocols includes h2/h2c. A memory-exhaustion DoS arises from improper restriction of request-header length in crafted CONTINUATION frames in versions 2.4.17–2.4.23. Connected sources confirm the root cause is header-length handling without...

CVE-2010-2068

CVE-2010-2068 affects Apache HTTP ServerAffected: mod_proxy_http.c in Apache HTTP Server 2.2.9–2.2.15, 2.3.4-alpha, and 2.3.5-alpha on Windows, NetWare, OS/2 in certain proxy worker pool configurations.Root cause: timeout handling in mod_proxy_http did not correctly detect timeouts, allowing a re...

CVE-2012-4557

CVE-2012-4557 affects the Apache HTTP Server, specifically the mod_proxy_ajp module in versions 2.2.12–2.2.21. The vulnerability causes a worker node to enter an error state when a long request-processing time is detected, enabling remote attackers to trigger a denial of service via an expensive ...

CVE-2016-1546

CVE-2016-1546 affects Apache HTTP Server 2.4.17/2.4.18 with mod_http2 enabled, where there is no limit on the number of simultaneous stream workers for a single HTTP/2 connection. This can allow remote attackers to cause a denial of service (stream-processing outage) via modified flow-control win...

CVE-2025-53020

CVE-2025-53020 affects Apache HTTP Server versions 2.4.17 through 2.4.63. The issue is described as a Late Release of Memory after Effective Lifetime vulnerability. The recommended remediation is to upgrade to version 2.4.64, which fixes the issue. Public references from Debian, Amazon Linux advi...

CVE-1999-0236

The CVE-1999-0236 entry describes a vulnerability in the ScriptAlias directory handling in NCSA and Apache httpd that allowed attackers to read CGI programs. Affected software is the Apache httpd family utilizing ScriptAlias configuration; the underlying issue is directory handling enabling discl...

CVE-2009-3095

CVE-2009-3095 is a vulnerability in Apache httpd’s mod_proxy_ftp that allows remote authenticated attackers to bypass access restrictions and send arbitrary commands to an FTP server via crafted HTTP Authorization header vectors. The issue is part of a set of fixes for mod_proxy_ftp in the same a...

CVE-2025-66200

CVE-2025-66200 affects Apache HTTP Server 2.4.7–2.4.65. A mod_userdir+suexec bypass via AllowOverride FileInfo lets users with htaccess access to the RequestHeader directive cause some CGI scripts to execute under an unexpected userid. Connected advisories confirm the fix is in 2.4.66 (e.g., Debi...

CVE-1999-1237

CVE-1999-1237 describes multiple buffer overflows in the smbvalid/smbval SMB authentication library, as used by Apache::AuthenSmb and potentially other modules. The vulnerability allows remote attackers to execute arbitrary commands by sending excessively long usernames, passwords, or via other u...

CVE-2019-0190

Apache HTTP Server mod_ssl denial of service (CVE-2019-0190) occurs when renegotiations are mishandled with OpenSSL 1.1.1+, causing a loop and potential DoS. According to ALAS-2019-1166 and related advisories, the fix is to upgrade to Apache httpd 2.4.38 (mod_ssl 2.4.38) or newer; affected compon...

CVE-2025-55753

CVE-2025-55753 affects Apache HTTP Server (2.4.30–2.4.65). The issue is an integer overflow during failed ACME certificate renewals that, after ~30 days in default configs, causes the backoff timer to become 0. Thereafter, renewal attempts occur repeatedly without delays until success, potentiall...