Http Server@2.4.4 Security Vulnerabilities and Issues — Http Server@2.4.4 CVE List

Lucene search

ApacheHttp Server2.4.4

9 matches found

CVE•added 2018/03/26 3:29 p.m.•7165 views

CVE-2018-1312

In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed acros...

9.8CVSS7.5AI score0.09062EPSS

CVE•added 2017/09/18 3:29 p.m.•3282 views

CVE-2017-9798

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker send...

7.5CVSS7.7AI score0.93978EPSS

CVE•added 2018/08/14 1:0 p.m.•3004 views

CVE-2016-4975

Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2...

6.1CVSS6.9AI score0.77046EPSS

CVE•added 2018/03/26 3:29 p.m.•2910 views

CVE-2017-15710

In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conv...

7.5CVSS7.5AI score0.11702EPSS

CVE•added 2014/12/29 11:59 p.m.•2013 views

CVE-2014-8109

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restricti...

4.3CVSS6.7AI score0.17172EPSS

CVE•added 2015/07/20 11:59 p.m.•1519 views

CVE-2015-3185

The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions...

4.3CVSS6.6AI score0.07873EPSS

CVE•added 2014/07/20 11:12 a.m.•858 views

CVE-2014-3523

Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted requests.

5CVSS6.3AI score0.35235EPSS

CVE•added 2014/04/15 10:55 a.m.•828 views

CVE-2013-5704

The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

5CVSS5.7AI score0.8475EPSS

CVE•added 2014/10/10 10:55 a.m.•408 views

CVE-2014-3581

The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.

5CVSS6.2AI score0.03873EPSS