22 matches found
CVE-2020-1927
CVE-2020-1927 affects Apache HTTP Server 2.4.0–2.4.41, where mod_rewrite redirects intended to be self-referential could be fooled by encoded newlines and redirect to an unexpected URL within the request. Multiple connected advisories confirm the issue and indicate that fixes were released in Apa...
CVE-2024-39884
CVE-2024-39884 affects Apache HTTP Server (notably 2.4.60 and older) where legacy content-type based configuration (e.g., AddType) could cause source code disclosure for indirectly requested files, potentially exposing local content (e.g., PHP scripts being served). Affected vendors consistently ...
CVE-2024-24795
CVE-2024-24795 (httpd) describes HTTP response splitting in multiple Apache HTTP Server modules when malicious response headers can be injected into backend applications, enabling HTTP desynchronization. The vulnerability is mitigated by upgrading to Apache HTTP Server 2.4.59, as indicated across...
CVE-2019-10098
Apache httpd (2.4.0–2.4.39) is affected by CVE-2019-10098 via mod_rewrite: self-referential redirects can be fooled by encoded newlines, causing redirects to an unexpected URL. Connected advisories confirm affected versions and that exploitation could enable phishing via redirects. Mitigation is ...
CVE-2019-10092
The CVE-2019-10092 entry concerns Apache HTTP Server 2.4.0–2.4.39 with a limited cross-site scripting in the mod_proxy error page. The vulnerability lets an attacker craft a link on the error page that could mislead users by pointing to a page of the attacker’s choosing, but exploitation requires...
CVE-2016-4975
CVE-2016-4975: Apache HTTP Server is vulnerable to CRLF injection in mod_userdir causing HTTP response splitting. Affected: 2.4.1–2.4.23. Mitigation/fix: upgrade to Apache HTTP Server 2.4.25 (and 2.2.32 for the 2.2 line). The issue is resolved by changes that prohibit CR or LF injection into head...
CVE-2014-0226
Apache HTTP Server CVE-2014-0226 is a race-condition vulnerability in the mod_status component that can cause a heap-based buffer overflow, denial of service, and potentially credential disclosure or code execution. Affects httpd before 2.4.10; the issue arises from improper scoreboard handling i...
CVE-2012-0883
CVE-2012-0883 affects the Apache HTTP Server up to version 2.4.2, where the envvars (envvars-std) feature places a zero-length directory name in LD_LIBRARY_PATH. This enables local users to gain privileges by exploiting a Trojan horse DSO in the current working directory during execution of apach...
CVE-2017-12171
CVE-2017-12171 is a vulnerability reported for Red Hat Enterprise Linux 6.9 with httpd 2.2.15-60. The regression causes comments in the Allow and Deny directives to be parsed incorrectly, potentially allowing a remote attacker to bypass access controls and gain access to a restricted HTTP resourc...
CVE-2025-65082
CVE-2025-65082 affects Apache HTTP Server 2.4.0–2.4.65, due to improper neutralization of Escape, Meta, or Control sequences in environment variables set via Apache config, which can supersede server-calculated CGI variables. The issue, identified across multiple advisories (Debian DLA-4452-1, AL...
CVE-2007-1741
CVE-2007-1741 affects Apache HTTP Server (httpd) and its suexec module (v2.2.3). The issue comprises multiple race conditions between directory/file validation and their usage in suexec, enabling local users to gain privileges and execute arbitrary code by renaming directories or performing symli...
CVE-2025-54090
Summary of CVE-2025-54090 : The issue affects Apache HTTP Server, specifically version 2.4.64, where all "RewriteCond expr ..." tests evaluate as true due to a bug in the expression evaluation. The remedy is to upgrade to version 2.4.65, which includes the fix. The provided connected documents co...
CVE-2007-4465
The CVE-2007-4465 entry covers an XSS in Apache httpd’s mod_autoindex.c (pre-2.2.6) where an undefined page charset allows injection via the P parameter using UTF-7. Impact is cross-site scripting; remediation is to upgrade Apache httpd to 2.2.6 or newer (as per the cited advisory). The descripti...
CVE-2006-4154
CVE-2006-4154 describes a format-string vulnerability in the Apache mod_tcl module (version 1.0 for Apache 2.x). The root cause is format string handling in calls to set_var (in tcl_cmds.c and tcl_core.c), allowing a remote attacker to execute arbitrary code with the httpd process privileges. Aff...
CVE-2009-1956
CVE-2009-1956: Off-by-one error in apr_brigade_vprintf in Apache APR-util before 1.3.5 on big-endian platforms. Remote attackers could obtain sensitive information or cause a denial of service (application crash) via crafted input. Affected product: APR-util (pre-1.3.5) used with APR/httpd; impac...
CVE-2002-0840
CVE-2002-0840 is a cross-site scripting (XSS) vulnerability in the default error page of Apache. It affects Apache 2.0 before 2.0.43 and 1.3.x up to 1.3.26, when UseCanonicalName is set to off and wildcard DNS is supported. An attacker can inject script via the Host header to execute in other vis...
CVE-2010-0010
The CVE-2010-0010 issue affects Apache HTTP Server’s mod_proxy (proxy_util.c) on 64-bit platforms. The root cause is an integer overflow in the ap_proxy_send_fb function when handling large chunk sizes, which can trigger a heap-based buffer overflow. This condition enables a remote origin server ...
CVE-2003-0192
CVE-2003-0192 describes an issue in Apache 2.x before 2.0.47 (and mod_ssl for Apache 1.3) where certain sequences of per-directory renegotiations combined with using SSLCipherSuite to upgrade a weak cipher could cause the server to continue using a weak cipher. The connected advisories confirm af...
CVE-2004-0493
The CVE-2004-0493 entry relates to Apache httpd 2.0.x prior to 2.0.50, where long MIME header lines with excessive spaces/tabs can cause memory exhaustion and, on 64-bit systems, a potential heap-based buffer overflow. Connected advisories confirm DoS concerns across Apache 2.0.x and related modu...
CVE-2026-29170
CVE-2026-29170 describes a cross-site scripting (XSS) vulnerability in Apache HTTP Server 2.4.67 and earlier, affecting mod_proxy_ftp during HTML directory list generation when listing FTP directory contents via forward or reverse proxy configurations. The vulnerability arises in the HTML directo...
CVE-2026-43951
CVE-2026-43951 : Out-of-bounds read in Apache HTTP Server affecting mod_headers and mod_mime across multiple response languages. Affected versions: 2.4.0–2.4.67. The vulnerability is described in enrichment as an out-of-bounds read in the merge_response_headers path, which can lead to a crash. No...
CVE-2026-33523
CVE-2026-33523 describes an HTTP response splitting vulnerability in multiple Apache HTTP Server modules when backends are untrusted or compromised. Affected product: Apache HTTP Server up to version 2.4.66. The issue is resolved by upgrading to version 2.4.67. The provided documents do not inclu...