330 matches found
CVE-2003-0789
The provided documents confirm CVE-2003-0789 is an Apache mod_cgid issue where CGI redirect paths are mishandled when using a threaded MPM, potentially causing CGI output to be sent to the wrong client. This is tied to the mod_cgid component of Apache and is discussed alongside CAN-2003-0542 (buf...
CVE-2004-0940
CVE-2004-0940 is a confirmed vulnerability: a buffer overflow in mod_include.get_tag() affects Apache 1.3.x up to 1.3.32, allowing local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error. The impact is ...
CVE-2005-3352
The CVE-2005-3352 entry documents a cross-site scripting (XSS) vulnerability in the Apache httpd mod_imap (and mod_imagemap) module. The issue arises from improper handling of the Referer header when using image maps, allowing an attacker to inject arbitrary script or HTML. Affected software is A...
CVE-2007-3304
CVE-2007-3304 affects Apache HTTP Server (httpd) with the Prefork MPM. The issue arises when a local attacker can modify the scoreboard arrays (worker_score and process_score) to reference another process, enabling the master process to send SIGUSR1 and terminate that process, potentially causing...
CVE-2004-0488
The provided documents confirm CVE-2004-0488: a stack-based buffer overflow in the ssl_util_uuencode_binary function of ssl_util.c used by Apache mod_ssl when configured to trust the issuing CA. This can allow remote code execution via a client certificate with a long subject DN. The issue affect...
CVE-2008-2168
CVE-2008-2168 : The linked SUSE/NVD entries describe a cross-site scripting (XSS) vulnerability in Apache HTTP Server up to version 2.2.6 and earlier, exploitable via UTF-7 encoded URLs that are mishandled when rendering the 403 Forbidden error page. Attacker-provided URL input can inject arbitra...
CVE-2026-44631
CVE-2026-44631 describes a Buffer Underwrite in the Apache HTTP Server when processing crafted regular expressions in its configuration. The issue affects Apache httpd from version 2.4.0 through 2.4.67. The advisory recommends upgrading to version 2.4.68, which contains the fix. The provided conn...
CVE-2007-1743
CVE-2007-1743 affects Apache HTTP Server (httpd) with the suexec module. The issue is that suexec (in httpd 2.2.3) does not verify combinations of user and group IDs on the command line, which might allow a local user to leverage other vulnerabilities to create arbitrary UID/GID–owned files if /p...
CVE-2026-33006
The CVE-2026-33006 issue affects Apache HTTP Server 2.4.66 and its mod_auth_digest component. A timing-based flaw allows a remote attacker to bypass Digest authentication. The known remediation is upgrading to Apache HTTP Server 2.4.67, which fixes the vulnerability. The NVD entry documents a MED...
CVE-2001-0731
CVE-2001-0731 affects Apache 1.3.20 when Multiviews is enabled. A remote attacker can cause a directory listing to be displayed (information disclosure) by crafting a request containing an M=D query string, bypassing normal index page behavior. Public advisories and scans consistently reference t...
CVE-2009-1956
CVE-2009-1956: Off-by-one error in apr_brigade_vprintf in Apache APR-util before 1.3.5 on big-endian platforms. Remote attackers could obtain sensitive information or cause a denial of service (application crash) via crafted input. Affected product: APR-util (pre-1.3.5) used with APR/httpd; impac...
CVE-2006-4110
CVE-2006-4110 affects Apache 2.2.2 running on Windows. An information-disclosure vulnerability arises when the CGI directory is within the document root: requests that alter the case of the directory name bypass the ScriptAlias handler on a case-insensitive filesystem, allowing attackers to read ...
CVE-2004-0885
The CVE-2004-0885 entry describes a vulnerability in Apache's mod_ssl for versions 2.0.35–2.0.52 where, when using SSLCipherSuite in directory or location context, remote clients can bypass intended restrictions by selecting any cipher suite allowed by the virtual host configuration. The initial ...
CVE-2007-3847
CVE-2007-3847 affects Apache httpd 2.3.x (mod_proxy) where the date handling in modules/proxy/proxy_util.c under a threaded MPM can be triggered by crafted date headers, causing a buffer over-read and remote denial of service (caching forward proxy process crash). The linked advisories indicate t...
CVE-2003-0993
CVE-2003-0993 concerns Apache 1.3.x mod_access on big-endian 64-bit systems. The issue arises because Allow/Deny rules that specify IP addresses without a netmask are not parsed correctly, potentially allowing remote attackers to bypass access restrictions. Multiple OpenVAS entries and vendor adv...
CVE-2007-1742
Apache HTTP Server (httpd) 2.2.3’s suexec uses a partial path comparison to determine if the current directory is within the document root. This may allow local users to operate on incorrect directories under an html directory (e.g., html_backup/htmleditor). The issue is described across multiple...
CVE-2002-0840
CVE-2002-0840 is a cross-site scripting (XSS) vulnerability in the default error page of Apache. It affects Apache 2.0 before 2.0.43 and 1.3.x up to 1.3.26, when UseCanonicalName is set to off and wildcard DNS is supported. An attacker can inject script via the Host header to execute in other vis...
CVE-2005-2728
Apache httpd is affected by CVE-2005-2728 due to a flaw in the byte-range filter that can cause memory exhaustion and denial of service when handling HTTP requests with a large Range header, as described in multiple connected advisories. The issue affects Apache httpd 2.0.x before 2.0.54 (and var...
CVE-2008-0005
CVE-2008-0005 affects Apache httpd mod_proxy_ftp: versions prior to 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev do not define a charset, enabling remote XSS via UTF-7 encoding. Remediation per connected advisories: upgrade to patched Apache httpd versions that backport fixes f...
CVE-2009-0023
CVE-2009-0023 affects Apache APR-util prior to 1.3.5. The vulnerability in apr_strmatch_precompile (strmatch/apr_strmatch.c) can be exploited by crafted input via that library’s usage contexts (e.g., .htaccess with Apache HTTP Server, SVNMasterURI in mod_dav_svn, mod_apreq2, or applications using...
CVE-2026-29167
CVE-2026-29167 is a Use After Free vulnerability in Apache HTTP Server when using mod_ldap in per-directory configuration. The issue affects Apache HTTP Server versions 2.4.0 through 2.4.67. The CVSS base score is 9.8 (Network, N), with high impact on confidentiality, integrity, and availability....
CVE-2001-1556
Technical details for CVE-2001-1556 are not publicly provided in the connected documents. Monitor for updates.
CVE-2002-0061
Apache HTTP Server on Windows (Win32) is vulnerable prior to versions 1.3.24 and 2.0.x prior to 2.0.34-beta. The flaw allows remote attackers to execute arbitrary commands by sending shell metacharacters (a pipe |) as arguments to batch (.bat) or .cmd scripts, which reach the shell interpreter (c...
CVE-2003-0245
CVE-2003-0245 concerns a vulnerability in the APR library (apr_psprintf) used by Apache 2.0.x, reported for versions 2.0.37–2.0.45. The flaw can crash the server and, in some cases, enable arbitrary code execution when triggered by long strings (notably via mod_dav) and potentially other vectors....
CVE-2010-0010
The CVE-2010-0010 issue affects Apache HTTP Server’s mod_proxy (proxy_util.c) on 64-bit platforms. The root cause is an integer overflow in the ap_proxy_send_fb function when handling large chunk sizes, which can trigger a heap-based buffer overflow. This condition enables a remote origin server ...
CVE-2003-0083
CVE-2003-0083 affects Apache 1.3.x (before 1.3.25) and Apache 2.0.x (before 2.0.46). The issue is that terminal escape sequences are not filtered from access logs, enabling insertion of escape sequences into terminal emulators vulnerable to such sequences. This is a separate vulnerability from CV...
CVE-2026-34032
CVE-2026-34032 is a vulnerability in Apache HTTP Server up to version 2.4.66, caused by a missing null-termination check in mod_proxy_ajp (ajp_msg_get_string) that leads to a heap buffer over-read. Affected product: Apache HTTP Server; vulnerable component: mod_proxy_ajp; root cause: missing null...
CVE-2026-33007
CVE-2026-33007 affects the Apache HTTP Server mod_authn_socache, where a NULL pointer dereference in 2.4.66 and earlier allows an unauthenticated remote user to crash a child process within a caching forward proxy configuration. The issue is resolved by upgrading to version 2.4.67. Unclear if in-...
CVE-2015-0253
CVE-2015-0253 affects the Apache HTTP Server 2.4.12. The vulnerability arises in the read_request_line function within server/protocol.c, where the protocol structure member is not initialized. This can enable a remote attacker to trigger a denial-of-service via a NULL pointer dereference and cra...
CVE-2010-2791
The CVE-2010-2791 issue affects Apache HTTP Server 2.2.x on Unix, where mod_proxy in httpd can fail to close the backend connection after a timeout while reading from a persistent connection. This can allow a remote attacker to obtain a potentially sensitive response intended for another client u...
CVE-2003-0987
CVE-2003-0987 affects Apache’s mod_digest prior to 1.3.31, where nonce verification using an AuthNonce secret can enable a replay attack. Affected component: mod_digest in the Apache HTTP Server. Root cause: improper nonce validation allows interception and replay of Digest authentication sequenc...
CVE-2005-1344
CVE-2005-1344 describes a buffer overflow in Apache's htdigest (version 2.0.52) that could allow arbitrary code execution via a long realm argument. The advisory notes that htdigest is typically locally accessible and not setuid/setgid, so privilege escalation is unlikely unless htdigest is invok...
CVE-2005-2088
The CVE-2005-2088 vulnerability affects the Apache HTTP Server when acting as an HTTP proxy. Specifically, versions before 1.3.34 and 2.0.x before 2.0.55 are susceptible. The issue arises from handling a request containing both Transfer-Encoding: chunked and Content-Length, causing the body to be...
CVE-2005-3357
CVE-2005-3357 affects mod_ssl in Apache 2.0 up to 2.0.55; when using an SSL vhost with access control and a custom 400 error page, a non-SSL request to an SSL port can trigger a NULL pointer dereference, causing a denial of service. Remediation/version is not specified in the provided documents.
CVE-2011-1928
The CVE-2011-1928 issue affects the APR library’s fnmatch implementation (apr_fnmatch.c) in APR 1.4.3/1.4.4 and Apache HTTP Server 2.2.18, causing an infinite-loop DoS when processing certain URIs due to an incorrect fix for CVE-2011-0419. Connected advisories note the problem is triggered by wil...
CVE-1999-0070
CVE-1999-0070 is associated with the generic test-cgi script vulnerability where an attacker can list files on the server. Red Hat and CVE listings confirm the issue stems from the test-cgi script. The Nessus plugin details an information-disclosure/remote command-execution style flaw: the script...
CVE-2003-0132
CVE-2003-0132: Apache 2.0 up to 2.0.44 is vulnerable to a memory-leak DoS via large sequences of linefeed characters. The issue arises because Apache may allocate memory (about 80 bytes per linefeed), enabling remote denial-of-service. OpenVAS entries summarize the vulnerability as a linefeed mem...
CVE-1999-0067
CVE-1999-0067 affects the phf CGI program that is included with NCSA httpd-derived web servers. The vulnerability allows remote command execution by supplying shell metacharacters in input processed by the phf CGI script, due to inadequate input sanitization. The issue can execute commands with t...
CVE-2002-0843
CVE-2002-0843 affects Apache httpd’s ApacheBench benchmark tool (ab.c). The description specifies buffer overflows in ab.c that occur in Apache before 1.3.27 and in Apache 2.x before 2.0.43. A malicious web server can trigger a long response to cause a denial of service and potentially execute ar...
CVE-2001-0131
CVE-2001-0131 is linked in Debian/OpenVAS advisories (e.g., DSA 021-1/188, OpenVAS entries) and references Apache components, but the connected documents do not provide detailed technical description of the root cause or explicit fixes beyond noting the vulnerability and CVSS scores. The Debian/O...
CVE-2004-0747
CVE-2004-0747 describes a local buffer overflow in Apache HTTP Server versions 2.0.50 and earlier, triggered by expansion of environment variables in .htaccess or server configuration files. The underlying issue involves copying environment data into a fixed-size buffer (ap_resolve_env) via strin...
CVE-2002-0839
CVE-2002-0839 affects Apache 1.3.x prior to 1.3.27. The vulnerability stems from the shared memory scoreboard in the HTTP daemon, where a user running as the Apache UID can modify parent[].pid and parent[].last_rtime, enabling the process to receive a SIGUSR1 signal with potential root-level effe...
CVE-2003-0192
CVE-2003-0192 describes an issue in Apache 2.x before 2.0.47 (and mod_ssl for Apache 1.3) where certain sequences of per-directory renegotiations combined with using SSLCipherSuite to upgrade a weak cipher could cause the server to continue using a weak cipher. The connected advisories confirm af...
CVE-2025-3891
CVE-2025-3891 affects the Apache httpd mod_auth_openidc module. A remote, unauthenticated attacker can cause a DoS by sending an empty POST when the OIDCPreservePost directive is enabled, crashing the server and impacting availability. Evidence from multiple advisories confirms the issue and ment...
CVE-2026-34059
CVE-2026-34059 affects Apache HTTP Server up to version 2.4.66, with a vulnerability in the mod_proxy_ajp component: a heap over-read in the ajp_parse_data() path that can lead to memory disclosure. The public description in multiple sources confirms the issue and the recommended mitigation is to...
CVE-2005-2970
CVE-2005-2970 is described across multiple advisories as a memory-leak vulnerability in the Apache httpd worker MPM (worker.c). In affected setups, memory consumed by aborted connections could not be freed for new requests, enabling a remote attacker to trigger a Denial of Service via memory exha...
CVE-2002-2029
CVE-2002-2029 affects PHP on Windows with Apache when ScriptAlias /php/ is set to c:/php/. A remote attacker can read arbitrary files and potentially execute arbitrary programs by requesting php.exe with a filename in the query string. Root cause is a configuration vulnerability enabling direct e...
CVE-2004-0942
CVE-2004-0942 affects Apache 2.0.52 and earlier. A remote attacker can trigger a denial of service by sending an HTTP GET with a MIME header containing many lines of whitespace, causing CPU/memory consumption. Public references show patches and advisories across platforms (e.g., ALT Linux package...
CVE-2026-33857
CVE-2026-33857 concerns the Apache HTTP Server, specifically the mod_proxy_ajp component, with an out-of-bounds read in AJP getter functions affecting versions up to 2.4.66. Upgrading to version 2.4.67 is the documented fix. The available connected sources confirm the affected product, the vulner...
CVE-2000-0505
The CVE-2000-0505 entry concerns the Apache HTTP Server on Windows (Win32) in the 1.3.x line. The vulnerability allows remote attackers to list directory contents by issuing a URL containing a large sequence of forward slashes, which triggers directory listing of the web root as configured in htt...