Http Server@2.4.2 Security Vulnerabilities and Issues — Http Server@2.4.2 CVE List

Lucene search

ApacheHttp Server2.4.2

16 matches found

cve•added 2018/03/26 3:29 p.m.•7165 views

CVE-2018-1312

In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed acros...

9.8CVSS7.5AI score0.09062EPSS

cve•added 2017/06/20 1:29 a.m.•5795 views

CVE-2017-3169

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.

9.8CVSS9.4AI score0.41379EPSS

cve•added 2017/09/18 3:29 p.m.•3282 views

CVE-2017-9798

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker send...

7.5CVSS7.7AI score0.93978EPSS

cve•added 2018/08/14 1:0 p.m.•3004 views

CVE-2016-4975

Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2...

6.1CVSS6.9AI score0.77046EPSS

cve•added 2018/03/26 3:29 p.m.•2910 views

CVE-2017-15710

In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conv...

7.5CVSS7.5AI score0.11702EPSS

cve•added 2014/12/29 11:59 p.m.•2013 views

CVE-2014-8109

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restricti...

4.3CVSS6.7AI score0.17172EPSS

cve•added 2017/07/27 9:29 p.m.•1727 views

CVE-2016-0736

In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding orac...

7.5CVSS7.5AI score0.1859EPSS

cve•added 2017/07/27 9:29 p.m.•1641 views

CVE-2016-2161

In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.

7.5CVSS7.5AI score0.33001EPSS

cve•added 2015/07/20 11:59 p.m.•1519 views

CVE-2015-3185

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions...

4.3CVSS6.6AI score0.07873EPSS

cve•added 2013/02/26 4:55 p.m.•1244 views

CVE-2012-3499

Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp,...

4.3CVSS6AI score0.21794EPSS

cve•added 2012/08/22 7:55 p.m.•1221 views

CVE-2012-2687

Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted f...

2.6CVSS5.5AI score0.05337EPSS

cve•added 2013/02/26 4:55 p.m.•1106 views

CVE-2012-4558

Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HT...

4.3CVSS6AI score0.65303EPSS

cve•added 2014/07/20 11:12 a.m.•858 views

CVE-2014-3523

Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted requests.

5CVSS6.3AI score0.35235EPSS

cve•added 2014/04/15 10:55 a.m.•828 views

CVE-2013-5704

The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

5CVSS5.7AI score0.8475EPSS

cve•added 2014/10/10 10:55 a.m.•408 views

CVE-2014-3581

The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.

5CVSS6.2AI score0.03873EPSS

cve•added 2012/08/22 7:55 p.m.•176 views

CVE-2012-3502

The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp module and (2) mod_proxy_http.c in the mod_proxy_http module in the Apache HTTP Server 2.4.x before 2.4.3 does not properly determine the situations that require closing a back-end connection, which allows remote attackers to obtai...

4.3CVSS6AI score0.04442EPSS