101 matches found
CVE-2020-1934
CVE-2020-1934 affects Apache HTTP Server 2.4.0–2.4.41 via mod_proxy_ftp, which may use uninitialized memory when proxying to a malicious FTP backend. Public advisories confirm the fixes in Apache HTTP Server 2.4.43+ (e.g., ALAS-2020-1370/ALAS2-2020-1427), so upgrading to 2.4.43 or newer is the re...
CVE-2019-0220
CVE-2019-0220 affects Apache HTTP Server 2.4.0–2.4.38. The issue arises when the path component of a request URL contains multiple consecutive slashes; directives like LocationMatch and RewriteRule must account for duplicates in regular expressions because the server may collapse or mishandle the...
CVE-2018-1283
In Apache httpd (mod_session) versions 2.4.0–2.4.29, when SessionEnv forwarding is enabled to CGI applications, a remote attacker can influence their content by sending a crafted Session header. This arises from mod_session forwarding data using the HTTP_SESSION variable name, which overlaps with...
CVE-2024-36387
CVE-2024-36387 affects the Apache httpd mod_http2 component: when serving WebSocket protocol upgrades over HTTP/2, it can trigger a NULL pointer dereference and crash the server, degrading performance (DoS). Connected advisories indicate patches across distributions (e.g., Debian security update ...
CVE-2007-6750
CVE-2007-6750 affects Apache HTTP Server 1.x and 2.x. The vulnerability arises from handling partial HTTP requests (Slowloris), related to absence of the mod_reqtimeout protection in versions before 2.2.15, enabling remote DoS (daemon outage). Public details in connected docs confirm PoCs/exploit...
CVE-2022-37436
CVE-2022-37436 affects Apache HTTP Server in versions prior to 2.4.55. The issue allows a malicious backend to truncate response headers early, causing some headers to be incorporated into the response body and preventing the later headers from being interpreted by the client. Affected products i...
CVE-2019-0196
The CVE-2019-0196 issue affects Apache HTTP Server 2.4.x (noted in several advisories) where the http/2 request handling could access freed memory during a string comparison to determine the request method, potentially causing incorrect request processing. This is tied to mod_http2 and is describ...
CVE-2014-0231
The CVE-2014-0231 issue affects the Apache HTTP Server mod_cgid module, specifically versions before 2.4.10. A missing timeout mechanism allows a remote attacker to trigger a denial of service by sending a request to a CGI script that does not read from stdin, causing the process to hang. This vu...
CVE-2014-0098
CVE-2014-0098 affects the Apache HTTP Server (mod_log_config) prior to version 2.4.8. The vulnerability is caused by how log_cookie is handled during truncation, allowing remote attackers to trigger a denial-of-service (segmentation fault and daemon crash). Public advisories and vendor notes (e.g...
CVE-2019-17567
CVE-2019-17567 affects Apache HTTP Server 2.4.x where mod_proxy_wstunnel on a URL not guaranteed to be upgraded by the origin server tunnels the entire connection, allowing subsequent requests on the same TCP connection to bypass HTTP validation, authentication, or authorization. Public reference...
CVE-2013-6438
The vulnerability CVE-2013-6438 affects the Apache HTTP Server mod_dav component. The flaw is in dav_xml_get_cdata (main/util.c) where whitespace is not correctly removed from CDATA sections, enabling a remote attacker to trigger a denial of service (daemon crash) with a crafted DAV WRITE request...
CVE-2022-28614
CVE-2022-28614 affects Apache HTTP Server 2.4.53 and earlier. The vulnerability stems from ap_rwrite() potentially reading unintended memory when reflecting very large input via ap_rwrite() or ap_rputs(), notably with mod_luas r:puts(). Modules compiled against older headers that use ap_rputs may...
CVE-2018-11763
CVE-2018-11763 affects Apache HTTP Server 2.4.17–2.4.34 and targets the HTTP/2 implementation. The issue arises when a client sends continuous, large SETTINGS frames, allowing a single connection to occupy a server thread and CPU time without triggering a connection timeout. Impact is limited to ...
CVE-2020-11985
CVE-2020-11985 – Apache HTTP Server spoofing via proxying with mod_remoteip and mod_rewrite is documented in the initial CVE entry and corroborated by connected sources. Affected behavior: an attacker could spoof their IP address for logs and PHP scripts when proxying through mod_remoteip with ce...
CVE-2023-45802
CVE-2023-45802 describes a memory‑leak condition in HTTP/2 handling: when a client resets a stream, memory deallocation is deferred until connection close, allowing a connection to accumulate memory usage over time. Astra Linux security notes reproduce the issue description and cite a fix in Apac...
CVE-2021-30641
CVE-2021-30641 affects Apache HTTP Server 2.4.39–2.4.46 with unexpected matching behavior when MergeSlashes OFF. Connected sources indicate patched versions: Debian fixes in 2.4.38-based packages, AlmaLinux/RedHat advisories reference a fix in Apache 2.4.51 for supported Check Point versions, and...
CVE-2018-1301
CVE-2018-1301 affects the Apache HTTP Server (httpd) prior to 2.4.30, caused by an out-of-bounds access after a size limit is reached when reading the HTTP header. Impact described as a crash (low risk for normal usage). Affected component is httpd’s HTTP header parsing; root cause is an out-of-b...
CVE-2013-1862
CVE-2013-1862 affects Apache HTTP Server 2.2.x up to 2.2.24, where mod_rewrite writes log data without sanitizing non‑printable characters. This can allow a remote attacker to execute arbitrary commands by sending an HTTP request containing an escape sequence for a terminal emulator, with some so...
CVE-2018-17189
CVE-2018-17189 : In Apache HTTP Server 2.4.37 and earlier, mod_http2 can cause a DoS by handling slowloris-style request bodies, unnecessarily occupying a server thread for the h2 stream on HTTP/2 connections. Affected product: Apache HTTP Server with mod_http2. Impact: denial of service via thre...
CVE-2011-3368
CVE-2011-3368 affects the Apache HTTP Server’s mod_proxy in reverse-proxy configurations. The vulnerability arises when using (1) RewriteRule with the [P] flag or (2) ProxyPassMatch; a remote attacker can craft a URI starting with an initial @ character to force the proxy to connect to an interna...
CVE-2018-1302
Apache HTTP Server (httpd) before 2.4.30 may write a NULL pointer to freed memory when an HTTP/2 stream is destroyed after handling. This is described as low risk and hard to trigger in standard configurations, with no reproducibility outside debug builds. Affected releases include older 2.4.x li...
CVE-2020-13938
CVE-2020-13938 affects Apache HTTP Server 2.4.0–2.4.46. The vulnerability allows unprivileged local users to stop the httpd service on Windows. The connected sources confirm the affected product family and the local-access impact, with public advisories referencing Microsoft Windows behavior and ...
CVE-2014-3523
CVE-2014-3523 corresponds to a memory leak in the WinNT MPM of Apache HTTP Server 2.4.x on Windows. Specifically, when AcceptFilter is enabled, the winnt_accept function in server/mpm/winnt/child.c can leak memory under crafted requests, leading to denial of service. The vulnerability is tied to ...
CVE-2013-5704
CVE-2013-5704 concerns the Apache HTTP Server mod_headers trailer-header bypass vulnerability. The issue arises when a client places headers in the trailer portion of a chunked request, potentially bypassing RequestHeader unset directives and allowing header manipulation after header processing. ...
CVE-2015-3183
CVE-2015-3183 affects the Apache HTTP Server (httpd) via a bug in parsing chunked transfer encoding headers, enabling HTTP request smuggling when handling large chunk sizes or invalid chunk extensions (related to modules/http/http_filters.c). The issue is fixed in downstream advisories and patche...
CVE-2010-0408
CVE-2010-0408 affects the Apache HTTP Server 2.2.x prior to 2.2.15. The ap_proxy_ajp_request function in mod_proxy_ajp.c mishandles requests when a client sends no request body, allowing remote attackers to trigger a denial of service (backend server outage) by crafting a request. The issue is re...
CVE-2022-28330
CVE-2022-28330 affects Apache HTTP Server 2.4.53 and earlier on Windows, describing an out-of-bounds read when processing requests with the mod_isapi module. Public references in ALAS advisories indicate the fix is included in httpd 2.4.54 (and related ALT Linux advisories). Mitigation requires u...
CVE-2010-1452
CVE-2010-1452 affects Apache HTTP Server 2.2.x (before 2.2.16) via the mod_cache and mod_dav components. A request that lacks a path can crash the server, causing a denial of service. Debian advisories and related vendor notes confirm the issue and describe fixes/upgrades to 2.2.16 (and subsequen...
CVE-2015-0228
Apache HTTP Server mod_lua contains a Denial of Service vulnerability in lua_websocket_read (lua_request.c) affecting versions up to 2.4.12. A remote attacker can crash a child process by sending a crafted WebSocket Ping frame after a Lua script has invoked wsupgrade. The provided documents confi...
CVE-2014-3583
CVE-2014-3583 affects Apache HTTP Server 2.4.10 and earlier, where the handle_headers function in mod_proxy_fcgi.c can be triggered by long response headers to cause a denial of service (buffer over-read and daemon crash). The vulnerability stems from the proxy/Fcgi header handling in mod_proxy_f...
CVE-1999-1412
CVE-1999-1412 describes a DoS risk from an interaction between MacOS X 1.0 and Apache HTTP server, where a flood of HTTP GET requests to CGI programs can spawn many processes on affected systems. Connected sources provide concrete details indicating the issue relates to the Apache httpd component...
CVE-2010-2068
CVE-2010-2068 affects Apache HTTP ServerAffected: mod_proxy_http.c in Apache HTTP Server 2.2.9–2.2.15, 2.3.4-alpha, and 2.3.5-alpha on Windows, NetWare, OS/2 in certain proxy worker pool configurations.Root cause: timeout handling in mod_proxy_http did not correctly detect timeouts, allowing a re...
CVE-2025-66200
CVE-2025-66200 affects Apache HTTP Server 2.4.7–2.4.65. A mod_userdir+suexec bypass via AllowOverride FileInfo lets users with htaccess access to the RequestHeader directive cause some CGI scripts to execute under an unexpected userid. Connected advisories confirm the fix is in 2.4.66 (e.g., Debi...
CVE-2016-1546
CVE-2016-1546 affects Apache HTTP Server 2.4.17/2.4.18 with mod_http2 enabled, where there is no limit on the number of simultaneous stream workers for a single HTTP/2 connection. This can allow remote attackers to cause a denial of service (stream-processing outage) via modified flow-control win...
CVE-2012-4557
CVE-2012-4557 affects the Apache HTTP Server, specifically the mod_proxy_ajp module in versions 2.2.12–2.2.21. The vulnerability causes a worker node to enter an error state when a long request-processing time is detected, enabling remote attackers to trigger a denial of service via an expensive ...
CVE-2009-3095
CVE-2009-3095 is a vulnerability in Apache httpd’s mod_proxy_ftp that allows remote authenticated attackers to bypass access restrictions and send arbitrary commands to an FTP server via crafted HTTP Authorization header vectors. The issue is part of a set of fixes for mod_proxy_ftp in the same a...
CVE-2014-3581
Apache HTTP Server vulnerability CVE-2014-3581 affects the mod_cache component (cache_util.c) in the httpd 2.4.x line, before 2.4.11. An empty Content-Type header can trigger a NULL pointer dereference in cache_merge_headers_out, leading to a denial of service (application crash). Public advisori...
CVE-2024-40725
CVE-2024-40725 affects Apache HTTP Server core (httpd) and arises from a partial fix for CVE-2024-39884 in 2.4.61 that can leak local content when legacy content-type based configuration (AddType and similar) is used, potentially serving PHP scripts as source code under indirect requests. The iss...
CVE-2007-0450
CVE-2007-0450 is a directory traversal vulnerability affecting Apache Tomcat (and Tomcat behind certain Apache proxies) where a crafted URI containing a dot-dot sequence and mixed separators (/, , and %5C) can cause unauthorized disclosure of arbitrary files. Affected products/versions include To...
CVE-1999-0678
CVE-1999-0678 affects the Apache server configured on Debian GNU/Linux where the default ServerRoot is /usr/doc. This misconfiguration allows remote users to read documentation files for the entire server via the web interface. The issue is caused by serving the /usr/doc directory as part of the ...
CVE-2008-2364
The CVE-2008-2364 entry concerns the Apache HTTP Server mod_proxy, specifically the ap_proxy_http_process_response function in the mod_proxy_http.c file for Apache versions 2.0.63 and 2.2.8. The issue is that it does not cap the number of forwarded interim responses, which can lead to memory exha...
CVE-2009-3720
CVE-2009-3720 affects Expat 2.0.1 (libexpat) and its use in Python, PyXML, w3c-libwww, etc. Root cause: in lib/xmltok_impl.c, updatePosition handles crafted UTF-8 sequences, causing a buffer over-read and potential application crash (DoS). Connected documents confirm exploits are not detailed bey...
CVE-2009-3560
CVE-2009-3560 is an Expat 2.0.1 XML parsing vulnerability (big2_toUtf8 in libxmltok.c) that can cause a denial of service via malformed UTF-8 sequences in XML, triggering a buffer over-read in doProlog. Connected docs reference Expat/XML parsing context and list vulnerable products/versions; howe...
CVE-2003-0020
CVE-2003-0020 concerns Apache HTTP Server: the product does not filter terminal escape sequences from error logs, enabling potential insertion of escape sequences into terminal emulators vulnerable to such sequences. Connected documents show multiple related CVEs affecting different Apache branch...
CVE-2010-1623
The CVE-2010-1623 issue affects the APR-util library (apr_brigade_split_line in buckets/apr_brigade.c) prior to version 1.3.10, where a memory leak can allow remote attackers to cause denial of service through memory consumption related to APR bucket destruction. Affected products commonly includ...
CVE-2005-1268
CVE-2005-1268 is an off-by-one overflow in Apache mod_ssl CRL verification callback when using a CRL, enabling a remote attacker to cause an Apache child process crash (DoS). Several advisories note this vulnerability and document patches/upstream fixes in Apache httpd releases; e.g., Red Hat/Cen...
CVE-2026-34032
CVE-2026-34032 is a vulnerability in Apache HTTP Server up to version 2.4.66, caused by a missing null-termination check in mod_proxy_ajp (ajp_msg_get_string) that leads to a heap buffer over-read. Affected product: Apache HTTP Server; vulnerable component: mod_proxy_ajp; root cause: missing null...
CVE-2026-33007
CVE-2026-33007 affects the Apache HTTP Server mod_authn_socache, where a NULL pointer dereference in 2.4.66 and earlier allows an unauthenticated remote user to crash a child process within a caching forward proxy configuration. The issue is resolved by upgrading to version 2.4.67. Unclear if in-...
CVE-2001-0731
CVE-2001-0731 affects Apache 1.3.20 when Multiviews is enabled. A remote attacker can cause a directory listing to be displayed (information disclosure) by crafting a request containing an M=D query string, bypassing normal index page behavior. Public advisories and scans consistently reference t...
CVE-2007-3847
CVE-2007-3847 affects Apache httpd 2.3.x (mod_proxy) where the date handling in modules/proxy/proxy_util.c under a threaded MPM can be triggered by crafted date headers, causing a buffer over-read and remote denial of service (caching forward proxy process crash). The linked advisories indicate t...