Lucene search
K
ApacheHttp Server

31 matches found

CVE
CVE
added 2017/06/20 1:0 a.m.22696 views

CVE-2017-7679

CVE-2017-7679 affects Apache HTTP Server (httpd) mod_mime. A buffer over-read allows reading one byte past the end of a buffer when sending a malicious Content-Type header, potentially enabling a crash or memory access issues. Affected products include httpd 2.2.x before 2.2.33 and 2.4.x before 2...

9.8CVSS9.5AI score0.39341EPSS
CVE
CVE
added 2022/06/08 10:0 a.m.19065 views

CVE-2022-31813

CVE-2022-31813 affects Apache HTTP Server 2.4.53 and older; due to hop-by-hop handling, X-Forwarded-* headers may be dropped to the origin server, which can enable bypass of IP-based authentication. All connected advisories indicate the fix is in Apache HTTP Server 2.4.54 and related updates in d...

9.8CVSS9.4AI score0.0314EPSS
CVE
CVE
added 2020/08/07 3:27 p.m.11988 views

CVE-2020-11984

CVE-2020-11984 affects Apache HTTP Server mod_proxy_uwsgi. Based on the provided documents, it is a vulnerability in httpd’s uwsgi handling that can lead to information disclosure and potentially remote code execution. The vulnerability was reported for Apache HTTP Server versions around 2.4.32 t...

9.8CVSS9.3AI score0.90039EPSS
In wild
CVE
CVE
added 2022/03/14 10:15 a.m.10406 views

CVE-2022-23943

CVE-2022-23943 is an out-of-bounds write vulnerability in httpd’s mod_sed that could allow memory corruption by attacker-supplied data. Affected: Apache HTTP Server 2.4.52 and earlier. Mitigation: upgrade to a fixed release (e.g., httpd 2.4.53 or later) as indicated by multiple advisories (includ...

9.8CVSS9.2AI score0.50401EPSS
CVE
CVE
added 2024/07/01 6:15 p.m.9514 views

CVE-2024-38476

CVE-2024-38476 concerns Apache HTTP Server 2.4.59 and earlier where backend applications emitting malicious or exploitable response headers can lead to information disclosure, SSRF, or local script execution via internal redirects. The connected advisories confirm the issue affects httpd/core beh...

9.8CVSS6.2AI score0.41611EPSS
CVE
CVE
added 2023/03/07 3:9 p.m.9275 views

CVE-2023-25690

CVE-2023-25690 concerns Apache HTTP Server 2.4.0–2.4.55 with mod_proxy enabled when combined with certain RewriteRule or ProxyPassMatch patterns that re-insert user-supplied URL data into the proxied request-target via variable substitution. The underlying flaw enables HTTP request smuggling thro...

9.8CVSS9.8AI score0.8377EPSS
In wildWeb
CVE
CVE
added 2022/03/14 10:15 a.m.8156 views

CVE-2022-22720

CVE-2022-22720 – Apache httpd HTTP Request Smuggling (details from connected docs) Affected software: Apache HTTP Server (httpd) versions 2.4.52 and earlier. Root cause / description: Inbound connections are not closed when errors occur while discarding the request body, which can expose the serv...

9.8CVSS9.4AI score0.28189EPSS
CVE
CVE
added 2017/06/20 1:0 a.m.7632 views

CVE-2017-3167

CVE-2017-3167 affects Apache httpd 2.2.x prior to 2.2.33 and 2.4.x prior to 2.4.26. The issue is that third‑party modules using ap_get_basic_auth_pw() outside the authentication phase can bypass authentication requirements. Connected sources confirm the impact and upstream fixes: update to httpd ...

9.8CVSS9.6AI score0.20231EPSS
CVE
CVE
added 2021/06/10 7:10 a.m.7482 views

CVE-2021-26691

CVE-2021-26691 affects Apache HTTP Server, where a crafted SessionHeader can cause a heap overflow in 2.4.0–2.4.46. Several connected advisories indicate that updates have been released (e.g., AlmaLinux/CentOS/Red Hat ecosystems) and that newer Apache HTTP Server versions (e.g., 2.4.51 in Check P...

9.8CVSS9.2AI score0.68067EPSS
CVE
CVE
added 2018/03/26 3:0 p.m.7390 views

CVE-2018-1312

CVE-2018-1312 affects Apache httpd 2.2.0–2.4.29 where nonce generation for HTTP Digest authentication was not seeded with a proper pseudo-random seed. This allowed replay across servers in a common Digest configuration. Public advisories (CentOS, Debian, Arch Linux, ALT Linux) fix confirmed in ve...

9.8CVSS7.5AI score0.15885EPSS
CVE
CVE
added 2021/12/20 12:0 a.m.7269 views

CVE-2021-44790

CVE-2021-44790 affects Apache HTTP Server up to version 2.4.51. It describes a buffer overflow in the mod_lua multipart parser (triggered via r:parsebody() from Lua scripts). Connected documents corroborate this in various advisories and patch notes, indicating releases with fixes (e.g., patched ...

9.8CVSS9.9AI score0.97108EPSS
Web
CVE
CVE
added 2021/09/16 2:40 p.m.6653 views

CVE-2021-39275

CVE-2021-39275 affects Apache HTTP Server (httpd) up to 2.4.48 and earlier. The issue is an out-of-bounds write in ap_escape_quotes() when given malicious input, potentially crashing the server or enabling code execution in some environments. Several connected sources concur this vulnerability ex...

9.8CVSS9.3AI score0.36339EPSS
CVE
CVE
added 2017/06/20 1:0 a.m.5934 views

CVE-2017-3169

CVE-2017-3169 affects Apache HTTP Server (httpd) up to the fixed versions: 2.2.x before 2.2.33 and 2.4.x before 2.4.26. The vulnerability is a NULL pointer dereference in the httpd’s mod_ssl component when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS po...

9.8CVSS9.4AI score0.19953EPSS
CVE
CVE
added 2021/09/16 2:40 p.m.4724 views

CVE-2021-40438

CVE-2021-40438 is an SSRF flaw in Apache HTTP Server 2.4.x through older revisions where a crafted request URI path can cause mod_proxy to forward the request to an origin server chosen by the remote user. The issue affects Apache httpd 2.4.48 and earlier; the CVSSv3.1 base score is 9.0 (CRITICAL...

9CVSS9.5AI score0.99999EPSS
In wildWeb
CVE
CVE
added 2022/06/08 10:0 a.m.3625 views

CVE-2022-28615

CVE-2022-28615 affects Apache HTTP Server 2.4.53 and earlier, where a read beyond bounds can occur in ap_strcmp_match() when given a very large input buffer. The issue may affect third‑party modules or lua scripts that call this function. Advisories in connected documents reference an official fi...

9.1CVSS9AI score0.05729EPSS
CVE
CVE
added 2019/09/26 2:40 p.m.3494 views

CVE-2019-10082

CVE-2019-10082 affects Apache HTTP Server 2.4.18–2.4.39, where fuzzed network input could cause read-after-free in http/2 session shutdown. Impact: remote, unauthenticated triggering memory faults in httpd workers, enabling potential DoS and other consequences. Connected sources indicate remediat...

9.1CVSS8.9AI score0.16549EPSS
CVE
CVE
added 2021/10/05 8:40 a.m.3365 views

CVE-2021-41773

CVE-2021-41773 is a path traversal vulnerability in Apache HTTP Server 2.4.49 affecting how path normalization maps URLs to files under Alias-like directives. The issue could allow access to files outside configured directories; if CGI scripts are enabled for those paths, remote code execution is...

9.8CVSS9.2AI score0.99992EPSS
In wild
CVE
CVE
added 2017/07/13 4:0 p.m.3297 views

CVE-2017-9788

Apache httpd vulnerability CVE-2017-9788 stems from mod_auth_digest not initializing or resetting the value placeholder in Digest Proxy-Authorization headers between key=value assignments, which can leak previous memory data or cause a segfault/DoS. Affected: httpd 2.2.34 and 2.4.x prior to 2.4.2...

9.1CVSS8.4AI score0.5677EPSS
CVE
CVE
added 2024/07/01 6:14 p.m.3027 views

CVE-2024-38474

CVE-2024-38474 affects Apache HTTP Server’s mod_rewrite: substitutions that capture and substitute unsafely can be mis-encoded, enabling unintended access paths. The issue is fixed by upgrading to Apache HTTP Server 2.4.60 (and related advisories note versions 2.4.61+ as subsequent fixes). Connec...

9.8CVSS9.8AI score0.02456EPSS
CVE
CVE
added 2023/01/17 7:11 p.m.2566 views

CVE-2022-36760

CVE-2022-36760 affects Apache HTTP Server mod_proxy_ajp, enabling HTTP Request Smuggling by an attacker to forward requests to the AJP backend. Public docs confirm impact on Apache httpd 2.4.54 and earlier; remediation is to upgrade to a fixed release (e.g., httpd 2.4.55+ as referenced by advisor...

9CVSS8.5AI score0.01879EPSS
CVE
CVE
added 2022/03/14 10:15 a.m.2524 views

CVE-2022-22721

CVE-2022-22721 concerns the Apache HTTP Server. On 32-bit systems, if LimitXMLRequestBody is set to allow request bodies larger than 350 MB (default 1 MB), an integer overflow can occur, leading to out-of-bounds writes. Affected product: Apache HTTP Server 2.4.52 and earlier. Impact per sources: ...

9.1CVSS9.4AI score0.41861EPSS
CVE
CVE
added 2021/10/07 3:50 p.m.2292 views

CVE-2021-42013

Summary: CVE-2021-42013 covers an incomplete fix to CVE-2021-41773 in Apache HTTP Server 2.4.49/2.4.50. Root cause: path traversal vulnerabilities in the 2.4.50 fix could map URLs outside configured directories; if CGI is enabled for aliased paths, remote code execution could occur. Affected vers...

9.8CVSS9.4AI score0.99964EPSS
In wild
CVE
CVE
added 2024/07/18 9:32 a.m.2010 views

CVE-2024-40898

The CVE-2024-40898 entry describes an SSRF vulnerability in Apache HTTP Server on Windows when using mod_rewrite in the server/vhost context. The issue can allow leaking NTLM hashes to a malicious server via crafted requests. Affected software is Apache HTTP Server; the remediation is to upgrade ...

9.1CVSS7.4AI score0.01536EPSS
CVE
CVE
added 2024/07/01 6:15 p.m.1843 views

CVE-2024-38475

CVE-2024-38475 affects Apache HTTP Server 2.4.59 and earlier, where improper escaping of output in mod_rewrite can map URLs to filesystem locations that are served but not directly reachable, enabling remote code execution or source code disclosure. The issue also involves substitutions in server...

9.1CVSS9.7AI score0.99957EPSS
In wild
CVE
CVE
added 2009/11/09 5:0 p.m.1316 views

CVE-2009-3555

CVE-2009-3555 concerns a TLS/SSL renegotiation flaw where renegotiation handshakes were not properly associated with the existing connection, enabling MITM data insertion in HTTPS and other TLS/SSL sessions (Project Mogul). Connected advisories show concrete mitigations and affected software: Pou...

9.8CVSS6AI score0.87264EPSS
CVE
CVE
added 2025/07/10 4:56 p.m.1250 views

CVE-2025-23048

Affected software: Apache HTTP Server (httpd). CVE-2025-23048 describes an access-control bypass in mod_ssl when TLS 1.3 session resumption is used in configurations with multiple virtual hosts, each with different trusted client certificates; a client trusted for one vhost could access another i...

9.1CVSS6.5AI score0.0097EPSS
Web
CVE
CVE
added 2026/05/05 9:29 p.m.573 views

CVE-2026-28780

CVE-2026-28780 is a heap-based buffer overflow in Apache HTTP Server’s mod_proxy_ajp (via ajp_msg_check_header()). Reports across Debian, FreeBSD/vuxml, Alpine, and NC SC advisories confirm impact on versions up to 2.4.66 and a fix in 2.4.67 . The issue allows memory corruption and can contribute...

9.8CVSS5.8AI score0.01376EPSS
CVE
CVE
added 2026/06/08 3:19 p.m.515 views

CVE-2026-44631

CVE-2026-44631 describes a Buffer Underwrite in the Apache HTTP Server when processing crafted regular expressions in its configuration. The issue affects Apache httpd from version 2.4.0 through 2.4.67. The advisory recommends upgrading to version 2.4.68, which contains the fix. The provided conn...

9.8CVSS5.4AI score0.00486EPSS
CVE
CVE
added 2026/06/08 3:7 p.m.434 views

CVE-2026-29167

CVE-2026-29167 is a Use After Free vulnerability in Apache HTTP Server when using mod_ldap in per-directory configuration. The issue affects Apache HTTP Server versions 2.4.0 through 2.4.67. The CVSS base score is 9.8 (Network, N), with high impact on confidentiality, integrity, and availability....

9.8CVSS5.4AI score0.00663EPSS
CVE
CVE
added 2026/06/08 3:14 p.m.204 views

CVE-2026-42535

CVE-2026-42535 affects Apache httpd’s mod_dav_fs in versions 2.4.67 and earlier. A path handling issue lets a WebDAV content author directly manipulate trusted DAV property databases, with the practical impact described as potential child process crashes. The recommended remediation is upgrading ...

9.1CVSS5.4AI score0.00538EPSS
CVE
CVE
added 2001/10/12 4:0 a.m.67 views

CVE-2001-0766

CVE-2001-0766 affects Apache on MacOS X Client 10.0.3 with HFS+; a case-insensitive filesystem leads to bypassing URL-based access filters. The root cause is that Apache’s file access protection assumes a case-sensitive FS, so URLs with mixed case can bypass / restrictions, potentially exposing p...

9.8CVSS9.4AI score0.08856EPSS