Lucene search
K
ApacheHttp Server

101 matches found

CVE
CVE
•added 2020/04/01 7:22 p.m.•5486 views

CVE-2020-1934

CVE-2020-1934 affects Apache HTTP Server 2.4.0–2.4.41 via mod_proxy_ftp, which may use uninitialized memory when proxying to a malicious FTP backend. Public advisories confirm the fixes in Apache HTTP Server 2.4.43+ (e.g., ALAS-2020-1370/ALAS2-2020-1427), so upgrading to 2.4.43 or newer is the re...

5.3CVSS6AI score0.51951EPSS
In wild
CVE
CVE
•added 2019/06/11 8:49 p.m.•4489 views

CVE-2019-0220

CVE-2019-0220 affects Apache HTTP Server 2.4.0–2.4.38. The issue arises when the path component of a request URL contains multiple consecutive slashes; directives like LocationMatch and RewriteRule must account for duplicates in regular expressions because the server may collapse or mishandle the...

5.3CVSS6.4AI score0.1786EPSS
CVE
CVE
•added 2018/03/26 3:0 p.m.•3574 views

CVE-2018-1283

In Apache httpd (mod_session) versions 2.4.0–2.4.29, when SessionEnv forwarding is enabled to CGI applications, a remote attacker can influence their content by sending a crafted Session header. This arises from mod_session forwarding data using the HTTP_SESSION variable name, which overlaps with...

5.3CVSS7AI score0.10118EPSS
CVE
CVE
•added 2024/07/01 6:10 p.m.•3221 views

CVE-2024-36387

CVE-2024-36387 affects the Apache httpd mod_http2 component: when serving WebSocket protocol upgrades over HTTP/2, it can trigger a NULL pointer dereference and crash the server, degrading performance (DoS). Connected advisories indicate patches across distributions (e.g., Debian security update ...

5.4CVSS6.4AI score0.01715EPSS
CVE
CVE
•added 2011/12/27 6:0 p.m.•2594 views

CVE-2007-6750

CVE-2007-6750 affects Apache HTTP Server 1.x and 2.x. The vulnerability arises from handling partial HTTP requests (Slowloris), related to absence of the mod_reqtimeout protection in versions before 2.2.15, enabling remote DoS (daemon outage). Public details in connected docs confirm PoCs/exploit...

5CVSS7AI score0.71634EPSS
CVE
CVE
•added 2023/01/17 7:12 p.m.•2528 views

CVE-2022-37436

CVE-2022-37436 affects Apache HTTP Server in versions prior to 2.4.55. The issue allows a malicious backend to truncate response headers early, causing some headers to be incorporated into the response body and preventing the later headers from being interpreted by the client. Affected products i...

5.3CVSS7.3AI score0.57941EPSS
CVE
CVE
•added 2019/06/11 9:2 p.m.•2208 views

CVE-2019-0196

The CVE-2019-0196 issue affects Apache HTTP Server 2.4.x (noted in several advisories) where the http/2 request handling could access freed memory during a string comparison to determine the request method, potentially causing incorrect request processing. This is tied to mod_http2 and is describ...

5.3CVSS6AI score0.193EPSS
CVE
CVE
•added 2014/07/20 10:0 a.m.•2073 views

CVE-2014-0231

The CVE-2014-0231 issue affects the Apache HTTP Server mod_cgid module, specifically versions before 2.4.10. A missing timeout mechanism allows a remote attacker to trigger a denial of service by sending a request to a CGI script that does not read from stdin, causing the process to hang. This vu...

5CVSS4.2AI score0.43809EPSS
CVE
CVE
•added 2014/03/18 1:0 a.m.•1974 views

CVE-2014-0098

CVE-2014-0098 affects the Apache HTTP Server (mod_log_config) prior to version 2.4.8. The vulnerability is caused by how log_cookie is handled during truncation, allowing remote attackers to trigger a denial-of-service (segmentation fault and daemon crash). Public advisories and vendor notes (e.g...

5CVSS8AI score0.25999EPSS
CVE
CVE
•added 2021/06/10 7:10 a.m.•1801 views

CVE-2019-17567

CVE-2019-17567 affects Apache HTTP Server 2.4.x where mod_proxy_wstunnel on a URL not guaranteed to be upgraded by the origin server tunnels the entire connection, allowing subsequent requests on the same TCP connection to bypass HTTP validation, authentication, or authorization. Public reference...

5.3CVSS7AI score0.60266EPSS
CVE
CVE
•added 2014/03/18 1:0 a.m.•1776 views

CVE-2013-6438

The vulnerability CVE-2013-6438 affects the Apache HTTP Server mod_dav component. The flaw is in dav_xml_get_cdata (main/util.c) where whitespace is not correctly removed from CDATA sections, enabling a remote attacker to trigger a denial of service (daemon crash) with a crafted DAV WRITE request...

5CVSS8AI score0.26831EPSS
CVE
CVE
•added 2022/06/08 10:0 a.m.•1699 views

CVE-2022-28614

CVE-2022-28614 affects Apache HTTP Server 2.4.53 and earlier. The vulnerability stems from ap_rwrite() potentially reading unintended memory when reflecting very large input via ap_rwrite() or ap_rputs(), notably with mod_luas r:puts(). Modules compiled against older headers that use ap_rputs may...

5.3CVSS7.5AI score0.04428EPSS
CVE
CVE
•added 2018/09/25 9:0 p.m.•1655 views

CVE-2018-11763

CVE-2018-11763 affects Apache HTTP Server 2.4.17–2.4.34 and targets the HTTP/2 implementation. The issue arises when a client sends continuous, large SETTINGS frames, allowing a single connection to occupy a server thread and CPU time without triggering a connection timeout. Impact is limited to ...

5.9CVSS5.6AI score0.51002EPSS
CVE
CVE
•added 2020/08/07 3:36 p.m.•1547 views

CVE-2020-11985

CVE-2020-11985 – Apache HTTP Server spoofing via proxying with mod_remoteip and mod_rewrite is documented in the initial CVE entry and corroborated by connected sources. Affected behavior: an attacker could spoof their IP address for logs and PHP scripts when proxying through mod_remoteip with ce...

5.3CVSS5.9AI score0.06808EPSS
CVE
CVE
•added 2023/10/23 6:50 a.m.•1496 views

CVE-2023-45802

CVE-2023-45802 describes a memory‑leak condition in HTTP/2 handling: when a client resets a stream, memory deallocation is deferred until connection close, allowing a connection to accumulate memory usage over time. Astra Linux security notes reproduce the issue description and cite a fix in Apac...

5.9CVSS8.3AI score0.03024EPSS
In wild
CVE
CVE
•added 2021/06/10 7:10 a.m.•1233 views

CVE-2021-30641

CVE-2021-30641 affects Apache HTTP Server 2.4.39–2.4.46 with unexpected matching behavior when MergeSlashes OFF. Connected sources indicate patched versions: Debian fixes in 2.4.38-based packages, AlmaLinux/RedHat advisories reference a fix in Apache 2.4.51 for supported Check Point versions, and...

5.3CVSS7.5AI score0.52331EPSS
CVE
CVE
•added 2018/03/26 3:0 p.m.•1179 views

CVE-2018-1301

CVE-2018-1301 affects the Apache HTTP Server (httpd) prior to 2.4.30, caused by an out-of-bounds access after a size limit is reached when reading the HTTP header. Impact described as a crash (low risk for normal usage). Affected component is httpd’s HTTP header parsing; root cause is an out-of-b...

5.9CVSS7.5AI score0.15564EPSS
CVE
CVE
•added 2013/06/10 5:0 p.m.•1167 views

CVE-2013-1862

CVE-2013-1862 affects Apache HTTP Server 2.2.x up to 2.2.24, where mod_rewrite writes log data without sanitizing non‑printable characters. This can allow a remote attacker to execute arbitrary commands by sending an HTTP request containing an escape sequence for a terminal emulator, with some so...

5.1CVSS6.9AI score0.24886EPSS
CVE
CVE
•added 2019/01/30 10:0 p.m.•1159 views

CVE-2018-17189

CVE-2018-17189 : In Apache HTTP Server 2.4.37 and earlier, mod_http2 can cause a DoS by handling slowloris-style request bodies, unnecessarily occupying a server thread for the h2 stream on HTTP/2 connections. Affected product: Apache HTTP Server with mod_http2. Impact: denial of service via thre...

5.3CVSS6.1AI score0.19404EPSS
CVE
CVE
•added 2011/10/05 10:0 p.m.•1135 views

CVE-2011-3368

CVE-2011-3368 affects the Apache HTTP Server’s mod_proxy in reverse-proxy configurations. The vulnerability arises when using (1) RewriteRule with the [P] flag or (2) ProxyPassMatch; a remote attacker can craft a URI starting with an initial @ character to force the proxy to connect to an interna...

5CVSS9.2AI score0.90734EPSS
CVE
CVE
•added 2018/03/26 3:0 p.m.•1070 views

CVE-2018-1302

Apache HTTP Server (httpd) before 2.4.30 may write a NULL pointer to freed memory when an HTTP/2 stream is destroyed after handling. This is described as low risk and hard to trigger in standard configurations, with no reproducibility outside debug builds. Affected releases include older 2.4.x li...

5.9CVSS6.4AI score0.13436EPSS
CVE
CVE
•added 2021/06/10 7:10 a.m.•960 views

CVE-2020-13938

CVE-2020-13938 affects Apache HTTP Server 2.4.0–2.4.46. The vulnerability allows unprivileged local users to stop the httpd service on Windows. The connected sources confirm the affected product family and the local-access impact, with public advisories referencing Microsoft Windows behavior and ...

5.5CVSS6.6AI score0.11773EPSS
In wild
CVE
CVE
•added 2014/07/20 10:0 a.m.•914 views

CVE-2014-3523

CVE-2014-3523 corresponds to a memory leak in the WinNT MPM of Apache HTTP Server 2.4.x on Windows. Specifically, when AcceptFilter is enabled, the winnt_accept function in server/mpm/winnt/child.c can leak memory under crafted requests, leading to denial of service. The vulnerability is tied to ...

5CVSS6.3AI score0.16372EPSS
CVE
CVE
•added 2014/04/15 10:0 a.m.•906 views

CVE-2013-5704

CVE-2013-5704 concerns the Apache HTTP Server mod_headers trailer-header bypass vulnerability. The issue arises when a client places headers in the trailer portion of a chunked request, potentially bypassing RequestHeader unset directives and allowing header manipulation after header processing. ...

5CVSS5.7AI score0.60205EPSS
CVE
CVE
•added 2015/07/20 11:0 p.m.•843 views

CVE-2015-3183

CVE-2015-3183 affects the Apache HTTP Server (httpd) via a bug in parsing chunked transfer encoding headers, enabling HTTP request smuggling when handling large chunk sizes or invalid chunk extensions (related to modules/http/http_filters.c). The issue is fixed in downstream advisories and patche...

5CVSS6.5AI score0.73327EPSS
CVE
CVE
•added 2010/03/05 4:0 p.m.•791 views

CVE-2010-0408

CVE-2010-0408 affects the Apache HTTP Server 2.2.x prior to 2.2.15. The ap_proxy_ajp_request function in mod_proxy_ajp.c mishandles requests when a client sends no request body, allowing remote attackers to trigger a denial of service (backend server outage) by crafting a request. The issue is re...

5CVSS8.9AI score0.20787EPSS
CVE
CVE
•added 2022/06/08 10:0 a.m.•778 views

CVE-2022-28330

CVE-2022-28330 affects Apache HTTP Server 2.4.53 and earlier on Windows, describing an out-of-bounds read when processing requests with the mod_isapi module. Public references in ALAS advisories indicate the fix is included in httpd 2.4.54 (and related ALT Linux advisories). Mitigation requires u...

5.3CVSS7.1AI score0.03398EPSS
CVE
CVE
•added 2010/07/28 7:32 p.m.•776 views

CVE-2010-1452

CVE-2010-1452 affects Apache HTTP Server 2.2.x (before 2.2.16) via the mod_cache and mod_dav components. A request that lacks a path can crash the server, causing a denial of service. Debian advisories and related vendor notes confirm the issue and describe fixes/upgrades to 2.2.16 (and subsequen...

5CVSS5.2AI score0.2187EPSS
Web
CVE
CVE
•added 2015/03/08 2:0 a.m.•739 views

CVE-2015-0228

Apache HTTP Server mod_lua contains a Denial of Service vulnerability in lua_websocket_read (lua_request.c) affecting versions up to 2.4.12. A remote attacker can crash a child process by sending a crafted WebSocket Ping frame after a Lua script has invoked wsupgrade. The provided documents confi...

5CVSS8.8AI score0.18812EPSS
CVE
CVE
•added 2014/12/15 5:27 p.m.•709 views

CVE-2014-3583

CVE-2014-3583 affects Apache HTTP Server 2.4.10 and earlier, where the handle_headers function in mod_proxy_fcgi.c can be triggered by long response headers to cause a denial of service (buffer over-read and daemon crash). The vulnerability stems from the proxy/Fcgi header handling in mod_proxy_f...

5CVSS8AI score0.10783EPSS
CVE
CVE
•added 2001/09/12 4:0 a.m.•674 views

CVE-1999-1412

CVE-1999-1412 describes a DoS risk from an interaction between MacOS X 1.0 and Apache HTTP server, where a flood of HTTP GET requests to CGI programs can spawn many processes on affected systems. Connected sources provide concrete details indicating the issue relates to the Apache httpd component...

5CVSS6.2AI score0.35342EPSS
CVE
CVE
•added 2010/06/18 4:0 p.m.•603 views

CVE-2010-2068

CVE-2010-2068 affects Apache HTTP ServerAffected: mod_proxy_http.c in Apache HTTP Server 2.2.9–2.2.15, 2.3.4-alpha, and 2.3.5-alpha on Windows, NetWare, OS/2 in certain proxy worker pool configurations.Root cause: timeout handling in mod_proxy_http did not correctly detect timeouts, allowing a re...

5CVSS4.9AI score0.16002EPSS
CVE
CVE
•added 2025/12/05 11:2 a.m.•581 views

CVE-2025-66200

CVE-2025-66200 affects Apache HTTP Server 2.4.7–2.4.65. A mod_userdir+suexec bypass via AllowOverride FileInfo lets users with htaccess access to the RequestHeader directive cause some CGI scripts to execute under an unexpected userid. Connected advisories confirm the fix is in 2.4.66 (e.g., Debi...

5.4CVSS6.6AI score0.00591EPSS
CVE
CVE
•added 2016/07/06 2:0 p.m.•576 views

CVE-2016-1546

CVE-2016-1546 affects Apache HTTP Server 2.4.17/2.4.18 with mod_http2 enabled, where there is no limit on the number of simultaneous stream workers for a single HTTP/2 connection. This can allow remote attackers to cause a denial of service (stream-processing outage) via modified flow-control win...

5.9CVSS5.7AI score0.15327EPSS
CVE
CVE
•added 2012/11/30 7:0 p.m.•573 views

CVE-2012-4557

CVE-2012-4557 affects the Apache HTTP Server, specifically the mod_proxy_ajp module in versions 2.2.12–2.2.21. The vulnerability causes a worker node to enter an error state when a long request-processing time is detected, enabling remote attackers to trigger a denial of service via an expensive ...

5CVSS6.2AI score0.1747EPSS
CVE
CVE
•added 2009/09/08 6:0 p.m.•551 views

CVE-2009-3095

CVE-2009-3095 is a vulnerability in Apache httpd’s mod_proxy_ftp that allows remote authenticated attackers to bypass access restrictions and send arbitrary commands to an FTP server via crafted HTTP Authorization header vectors. The issue is part of a set of fixes for mod_proxy_ftp in the same a...

5CVSS9.4AI score0.1256EPSS
CVE
CVE
•added 2014/10/10 10:0 a.m.•472 views

CVE-2014-3581

Apache HTTP Server vulnerability CVE-2014-3581 affects the mod_cache component (cache_util.c) in the httpd 2.4.x line, before 2.4.11. An empty Content-Type header can trigger a NULL pointer dereference in cache_merge_headers_out, leading to a denial of service (application crash). Public advisori...

5CVSS6.2AI score0.13451EPSS
CVE
CVE
•added 2024/07/18 9:32 a.m.•368 views

CVE-2024-40725

CVE-2024-40725 affects Apache HTTP Server core (httpd) and arises from a partial fix for CVE-2024-39884 in 2.4.61 that can leak local content when legacy content-type based configuration (AddType and similar) is used, potentially serving PHP scripts as source code under indirect requests. The iss...

5.3CVSS7.4AI score0.04134EPSS
CVE
CVE
•added 2007/03/16 10:0 p.m.•366 views

CVE-2007-0450

CVE-2007-0450 is a directory traversal vulnerability affecting Apache Tomcat (and Tomcat behind certain Apache proxies) where a crafted URI containing a dot-dot sequence and mixed separators (/, , and %5C) can cause unauthorized disclosure of arbitrary files. Affected products/versions include To...

5CVSS6.2AI score0.90768EPSS
CVE
CVE
•added 2000/03/22 5:0 a.m.•291 views

CVE-1999-0678

CVE-1999-0678 affects the Apache server configured on Debian GNU/Linux where the default ServerRoot is /usr/doc. This misconfiguration allows remote users to read documentation files for the entire server via the web interface. The issue is caused by serving the /usr/doc directory as part of the ...

5CVSS6.6AI score0.31408EPSS
CVE
CVE
•added 2008/06/13 6:0 p.m.•273 views

CVE-2008-2364

The CVE-2008-2364 entry concerns the Apache HTTP Server mod_proxy, specifically the ap_proxy_http_process_response function in the mod_proxy_http.c file for Apache versions 2.0.63 and 2.2.8. The issue is that it does not cap the number of forwarded interim responses, which can lead to memory exha...

5CVSS7.2AI score0.12714EPSS
CVE
CVE
•added 2009/11/03 4:0 p.m.•243 views

CVE-2009-3720

CVE-2009-3720 affects Expat 2.0.1 (libexpat) and its use in Python, PyXML, w3c-libwww, etc. Root cause: in lib/xmltok_impl.c, updatePosition handles crafted UTF-8 sequences, causing a buffer over-read and potential application crash (DoS). Connected documents confirm exploits are not detailed bey...

5CVSS7AI score0.27924EPSS
CVE
CVE
•added 2009/12/04 9:0 p.m.•232 views

CVE-2009-3560

CVE-2009-3560 is an Expat 2.0.1 XML parsing vulnerability (big2_toUtf8 in libxmltok.c) that can cause a denial of service via malformed UTF-8 sequences in XML, triggering a buffer over-read in doProlog. Connected docs reference Expat/XML parsing context and list vulnerable products/versions; howe...

5CVSS7.5AI score0.24313EPSS
CVE
CVE
•added 2004/09/01 4:0 a.m.•210 views

CVE-2003-0020

CVE-2003-0020 concerns Apache HTTP Server: the product does not filter terminal escape sequences from error logs, enabling potential insertion of escape sequences into terminal emulators vulnerable to such sequences. Connected documents show multiple related CVEs affecting different Apache branch...

5CVSS7.7AI score0.10872EPSS
CVE
CVE
•added 2010/10/04 8:0 p.m.•207 views

CVE-2010-1623

The CVE-2010-1623 issue affects the APR-util library (apr_brigade_split_line in buckets/apr_brigade.c) prior to version 1.3.10, where a memory leak can allow remote attackers to cause denial of service through memory consumption related to APR bucket destruction. Affected products commonly includ...

5CVSS6.3AI score0.20167EPSS
CVE
CVE
•added 2005/08/05 4:0 a.m.•191 views

CVE-2005-1268

CVE-2005-1268 is an off-by-one overflow in Apache mod_ssl CRL verification callback when using a CRL, enabling a remote attacker to cause an Apache child process crash (DoS). Several advisories note this vulnerability and document patches/upstream fixes in Apache httpd releases; e.g., Red Hat/Cen...

5CVSS6.6AI score0.08388EPSS
CVE
CVE
•added 2026/05/04 12:54 p.m.•179 views

CVE-2026-34032

CVE-2026-34032 is a vulnerability in Apache HTTP Server up to version 2.4.66, caused by a missing null-termination check in mod_proxy_ajp (ajp_msg_get_string) that leads to a heap buffer over-read. Affected product: Apache HTTP Server; vulnerable component: mod_proxy_ajp; root cause: missing null...

5.3CVSS5.8AI score0.00485EPSS
CVE
CVE
•added 2026/05/04 2:41 p.m.•162 views

CVE-2026-33007

CVE-2026-33007 affects the Apache HTTP Server mod_authn_socache, where a NULL pointer dereference in 2.4.66 and earlier allows an unauthenticated remote user to crash a child process within a caching forward proxy configuration. The issue is resolved by upgrading to version 2.4.67. Unclear if in-...

5.3CVSS5.8AI score0.00514EPSS
CVE
CVE
•added 2002/06/25 4:0 a.m.•161 views

CVE-2001-0731

CVE-2001-0731 affects Apache 1.3.20 when Multiviews is enabled. A remote attacker can cause a directory listing to be displayed (information disclosure) by crafting a request containing an M=D query string, bypassing normal index page behavior. Public advisories and scans consistently reference t...

5CVSS6.4AI score0.56756EPSS
CVE
CVE
•added 2007/08/23 10:0 p.m.•157 views

CVE-2007-3847

CVE-2007-3847 affects Apache httpd 2.3.x (mod_proxy) where the date handling in modules/proxy/proxy_util.c under a threaded MPM can be triggered by crafted date headers, causing a buffer over-read and remote denial of service (caching forward proxy process crash). The linked advisories indicate t...

5CVSS9.2AI score0.12901EPSS
Total number of security vulnerabilities101