46 matches found
CVE-2016-8612
CVE-2016-8612 affects Apache HTTP Server mod_cluster prior to httpd 2.4.23, with a flaw in the protocol parsing logic of the load balancer that can cause a Segmentation Fault in the httpd process due to improper input validation. Exploitation details are not provided in the connected documents; r...
CVE-2019-0197
The CVE-2019-0197 entry concerns Apache HTTP Server 2.4.34–2.4.38. When HTTP/2 is enabled for an http: host or H2Upgrade is enabled for h2 on an https: host, an Upgrade request from http/1.1 to http/2 that is not the first request on a connection could cause misconfiguration and crash. Servers th...
CVE-2014-8109
CVE-2014-8109 affects the Apache HTTP Server 2.3.x and 2.4.x up to 2.4.10, where mod_lua.c does not properly handle an httpd configuration using the same Lua authorization provider with different arguments across contexts. This can allow remote attackers to bypass access restrictions via multiple...
CVE-2015-3185
CVE-2015-3185 affects Apache HTTP Server (httpd) 2.4.x up to before 2.4.14. The ap_some_auth_required() function in server/request.c could incorrectly treat a request as authenticated, allowing modules using this API to bypass intended access controls. The issue’s fix/backport is described as imp...
CVE-2014-0118
CVE-2014-0118 affects the Apache HTTP Server mod_deflate: the deflate_in_filter in mod_deflate.c allows remote denial-of-service when request body decompression is enabled, by processing crafted data that expands to a large size. Affected versions are Apache httpd prior to 2.4.10. Impact is resou...
CVE-2012-3499
CVE-2012-3499 affects Apache HTTP Server 2.2.x (pre-2.2.24-dev) and 2.4.x (pre-2.4.4). The issue comprises multiple XSS flaws in modules including mod_imagemap, mod_info, mod_ldap, mod_proxy_ftp, and mod_status. An attacker can inject arbitrary web script/HTML via crafted Host header or URI-relat...
CVE-2003-1418
CVE-2003-1418 affects Apache HTTP Server 1.3.22–1.3.27 on OpenBSD. The root cause is information disclosure via (1) ETag headers that reveal inode numbers and (2) multipart MIME boundaries that reveal child process IDs (PIDs). Practical impact is partial information disclosure that can aid reconn...
CVE-2013-1896
The CVE-2013-1896 issue affects the Apache HTTP Server: mod_dav.c fails to correctly determine if DAV is enabled for a URI, allowing a remote attacker to trigger a segfault via a MERGE request when the URI is handled by mod_dav_svn and the href in the XML data points to a non-DAV URI. This can le...
CVE-2012-0053
CVE-2012-0053 affects Apache HTTP Server 2.2.x up to 2.2.21. The flaw in protocol.c during 400 error page construction can reveal HTTPOnly cookie values via long/malformed headers with crafted scripts. Remediation per advisories: upgrade to 2.2.22 or later (e.g., httpd 2.2.22).
CVE-2014-0117
The vulnerability CVE-2014-0117 affects the Apache HTTP Server, specifically the mod_proxy behavior in the 2.4.x line prior to 2.4.10. When a reverse proxy is enabled, a remote attacker can craft an HTTP Connection header to trigger a denial of service (child process crash). This is documented ac...
CVE-2012-4558
CVE-2012-4558 is an XSS vulnerability in Apache HTTP Server's balancer_handler (mod_proxy_balancer). Remote attackers can inject arbitrary web script/HTML via a crafted string in the manager interface for Apache 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4. Impact is arbitrary script execution ...
CVE-2011-4317
The CVE-2011-4317 issue concerns Apache HTTP Server in reverse proxy configurations (ProxyPassMatch/RewriteRule with [P]). It enables remote access to intranet servers via a malformed URI containing @ and : when the Revision 1179239 patch is applied, reflecting an incomplete fix for CVE-2011-3368...
CVE-2012-0031
CVE-2012-0031 affects Apache HTTP Server 2.2.21 and earlier, specifically scoreboard.c. The vulnerability allows local users to cause a denial of service (daemon crash during shutdown) or potentially other unspecified impact by modifying a type field in a shared scoreboard Memory segment, which l...
CVE-2011-3607
The CVE-2011-3607 issue affects the Apache HTTP Server 2.0.x (up to 2.0.64) and 2.2.x (up to 2.2.21) when mod_setenvif is enabled. An integer overflow in ap_pregsub() in server/util.c can cause a heap-based buffer overflow, enabling local privilege escalation via a crafted .htaccess SetEnvIf dire...
CVE-2011-3639
CVE-2011-3639 affects the Apache HTTP Server mod_proxy when using reverse proxy configurations (RewriteRule/ProxyPassMatch). The initial fix for CVE-2011-3368 did not fully address the issue, allowing a remote attacker to connect to an intranet/hidden server by sending HTTP/0.9 with a malformed U...
CVE-2013-4352
CVE-2013-4352 affects Apache HTTP Server (httpd) 2.4.x, specifically the mod_cache cache_storage.c: the cache_invalidate path in forward proxy caching can trigger a NULL pointer dereference, crashing the httpd and causing a Denial of Service. Public disclosures tie this to Apache httpd 2.4.6; mul...
CVE-2011-0419
CVE-2011-0419 is a stack consumption/DoS vulnerability in the APR library’s fnmatch implementation (apr_fnmatch.c) and, for some platforms, in libc’s fnmatch.c. It affects APR < 1.4.3 and Apache HTTP Server
CVE-2011-3348
The CVE-2011-3348 issue affects the Apache HTTP Server’s mod_proxy_ajp in combination with mod_proxy_balancer, where certain configurations allow remote attackers to trigger a denial of service by sending a malformed HTTP request. The vulnerability is described as causing a temporary error state ...
CVE-2008-0455
CVE-2008-0455 is an XSS vulnerability in the mod_negotiation module of Apache HTTP Server. A remote authenticated attacker can upload a file whose name contains XSS sequences and a file extension, causing arbitrary script/HTML to be injected into HTTP responses (notably for 406 Not Acceptable or ...
CVE-2010-0434
CVE-2010-0434 affects the Apache HTTP Server 2.2.x series (pre-2.2.15) where the ap_read_request handling in server/protocol.c for multithreaded MPMs could disclose memory contents by accessing headers of subrequests tied to an earlier request. Public sources in connected docs (e.g., Debian secur...
CVE-2008-2939
CVE-2008-2939 is an XSS vulnerability in the Apache HTTP Server when using the mod_proxy_ftp module. The flaw arises from insufficient sanitization of user-supplied data in FTP URIs, specifically involving a wildcard in the last directory component of the pathname. A remote attacker could inject ...
CVE-2009-1195
CVE-2009-1195 affects the Apache HTTP Server 2.2.x line (2.2.11 and earlier). The issue arises from improper handling of the Options=IncludesNOEXEC in the AllowOverride directive, enabling local users to configure .htaccess files to enable script execution via (1) Options Includes, (2) Options +I...
CVE-2007-5000
CVE-2007-5000 affects Apache HTTP Server mod_imap and mod_imagemap (v1.3.0–1.3.39 and v2.0.35–2.0.61). The flaw is due to insufficient input validation, allowing remote script/HTML injection via unspecified vectors. Public advisories note fixes in later Apache releases (and related packages); mit...
CVE-2007-6203
Apache HTTP Server 2.0.x and 2.2.x are affected by CVE-2007-6203, where the HTTP Method header is not sanitized when reflected in a 413 Response, enabling cross-site scripting-like attacks via headers sent by the client. The root cause is lack of sanitization of the Method specifier header in suc...
CVE-2006-3918
CVE-2006-3918 is an Apache HTTP Server/IBM HTTP Server issue where the HTTP Expect header is not sanitized when echoed back in error messages, enabling potential cross-site scripting via headers (as demonstrated with Flash/other clients). Affected products and versions include Apache HTTP Server ...
CVE-2007-6388
CVE-2007-6388 is an XSS vulnerability in Apache HTTP Server mod_status when the server-status page is enabled. The initial description covers affected versions: Apache HTTP Server 2.2.0–2.2.6, 2.0.35–2.0.61, and 1.3.2–1.3.39, with arbitrary web script/HTML injection possible via unspecified vecto...
CVE-2006-5752
CVE-2006-5752 is a cross-site scripting (XSS) vulnerability in the Apache HTTP Server mod_status component when ExtendedStatus is enabled and a public server-status page is used. The issue arises via browsers performing charset detection when the content-type is not specified, allowing remote att...
CVE-2007-6420
The CVE-2007-6420 issue is a CSRF vulnerability in the balancer-manager interface of Apache HTTP Server 2.2.x (mod_proxy_balancer). The vulnerability could allow remote attackers to gain privileges via unspecified vectors affecting the balancer-management UI. Connected advisories indicate multipl...
CVE-2007-6422
CVE-2007-6422 affects Apache HTTP Server 2.2.0–2.2.6 when using a threaded MPM. The vulnerability in the mod_proxy_balancer module allows remote authenticated users to cause a denial of service by triggering a crash of the Apache child process via an invalid bb variable. This is documented in mul...
CVE-2026-33006
The CVE-2026-33006 issue affects Apache HTTP Server 2.4.66 and its mod_auth_digest component. A timing-based flaw allows a remote attacker to bypass Digest authentication. The known remediation is upgrading to Apache HTTP Server 2.4.67, which fixes the vulnerability. The NVD entry documents a MED...
CVE-2012-3502
Apache HTTP Server 2.4.x before 2.4.3 is affected by CVE-2012-3502. The vulnerability lies in the proxy components (mod_proxy_ajp.c and mod_proxy_http.c) where the server does not correctly determine when to close a back-end connection, allowing an attacker to read a response intended for a diffe...
CVE-2005-3352
The CVE-2005-3352 entry documents a cross-site scripting (XSS) vulnerability in the Apache httpd mod_imap (and mod_imagemap) module. The issue arises from improper handling of the Referer header when using image maps, allowing an attacker to inject arbitrary script or HTML. Affected software is A...
CVE-2007-3304
CVE-2007-3304 affects Apache HTTP Server (httpd) with the Prefork MPM. The issue arises when a local attacker can modify the scoreboard arrays (worker_score and process_score) to reference another process, enabling the master process to send SIGUSR1 and terminate that process, potentially causing...
CVE-2008-2168
CVE-2008-2168 : The linked SUSE/NVD entries describe a cross-site scripting (XSS) vulnerability in Apache HTTP Server up to version 2.2.6 and earlier, exploitable via UTF-7 encoded URLs that are mishandled when rendering the 403 Forbidden error page. Attacker-provided URL input can inject arbitra...
CVE-2007-1743
CVE-2007-1743 affects Apache HTTP Server (httpd) with the suexec module. The issue is that suexec (in httpd 2.2.3) does not verify combinations of user and group IDs on the command line, which might allow a local user to leverage other vulnerabilities to create arbitrary UID/GID–owned files if /p...
CVE-2006-4110
CVE-2006-4110 affects Apache 2.2.2 running on Windows. An information-disclosure vulnerability arises when the CGI directory is within the document root: requests that alter the case of the directory name bypass the ScriptAlias handler on a case-insensitive filesystem, allowing attackers to read ...
CVE-2008-0005
CVE-2008-0005 affects Apache httpd mod_proxy_ftp: versions prior to 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev do not define a charset, enabling remote XSS via UTF-7 encoding. Remediation per connected advisories: upgrade to patched Apache httpd versions that backport fixes f...
CVE-2009-0023
CVE-2009-0023 affects Apache APR-util prior to 1.3.5. The vulnerability in apr_strmatch_precompile (strmatch/apr_strmatch.c) can be exploited by crafted input via that library’s usage contexts (e.g., .htaccess with Apache HTTP Server, SVNMasterURI in mod_dav_svn, mod_apreq2, or applications using...
CVE-2005-2088
The CVE-2005-2088 vulnerability affects the Apache HTTP Server when acting as an HTTP proxy. Specifically, versions before 1.3.34 and 2.0.x before 2.0.55 are susceptible. The issue arises from handling a request containing both Transfer-Encoding: chunked and Content-Length, causing the body to be...
CVE-2011-1928
The CVE-2011-1928 issue affects the APR library’s fnmatch implementation (apr_fnmatch.c) in APR 1.4.3/1.4.4 and Apache HTTP Server 2.2.18, causing an infinite-loop DoS when processing certain URIs due to an incorrect fix for CVE-2011-0419. Connected advisories note the problem is triggered by wil...
CVE-2007-6514
CVE-2007-6514 affects Apache HTTP Server when run on Linux with a document root on a Windows SMB share mounted via smbfs. The vulnerability arises from a trailing backslash () not being handled by the AddType directive, allowing remote attackers to disclose unprocessed contents of PHP files (e.g....
CVE-2003-1307
Summary: CVE-2003-1307 affects the mod_php module of the Apache HTTP Server. Vulnerability: Local users with write access to PHP scripts can signal the server’s process group and manipulate server file descriptors, demonstrated by sending a STOP signal and intercepting connections on the server’s...
CVE-2002-1658
CVE-2002-1658 describes a buffer overflow in htdigest used by Apache 1.3.26/1.3.27 that may allow arbitrary code execution via a long user argument. The vulnerability is tied to htdigest functionality, with local access as the attack vector and no setuid/setgid context; escalation of privileges i...
CVE-2000-1205
CVE-2000-1205 covers cross-site scripting in Apache 1.3.0–1.3.11. The vulnerability allows remote attackers to execute script as other visitors via (1) printenv CGI (printenv.pl) output, (2) error pages generated by ap_send_error_response (e.g., default 404) that omit an explicit charset, or (3) ...
CVE-2007-3303
CVE-2007-3303 affects Apache httpd 2.0.59 and 2.2.4 with the Prefork MPM. The described issue arises from certain code sequences executed in a worker process, which can either stop request processing by killing all workers and preventing replacements, or cause the master process to fork an arbitr...
CVE-2003-1580
The CVE-2003-1580 issue affects Apache HTTP Server 2.0.44 when DNS resolution is enabled for client IPs. The vulnerability arises from a logging format that does not indicate whether a dotted-quad IP address is unresolved, which can allow remote attackers to spoof IP addresses by sending crafted ...