Lucene search
+L

15 matches found

CVE
CVE
added 2025/07/10 4:56 p.m.1254 views

CVE-2025-23048

Affected software: Apache HTTP Server (httpd). CVE-2025-23048 describes an access-control bypass in mod_ssl when TLS 1.3 session resumption is used in configurations with multiple virtual hosts, each with different trusted client certificates; a client trusted for one vhost could access another i...

9.1CVSS6.5AI score0.0097EPSS
CVE
CVE
added 2025/12/05 1:40 p.m.849 views

CVE-2025-58098

CVE-2025-58098 affects Apache HTTP Server 2.4.65 and earlier when Server Side Includes (SSI) is enabled and mod_cgid (not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives, enabling potential command injection. The issue impacts Apache HTTP Server before 2.4.66; remedia...

8.3CVSS6.5AI score0.01527EPSS
CVE
CVE
added 2025/12/05 10:17 a.m.729 views

CVE-2025-59775

CVE-2025-59775 : SSRF in Apache HTTP Server on Windows when AllowEncodedSlashes On and MergeSlashes Off can leak NTLM hashes to a malicious server. Affected: Apache HTTP Server (Windows). Root cause: SSRF via UNC/NTLM-related handling as described in multiple security bulletins. Remediation: upgr...

7.5CVSS6.5AI score0.00784EPSS
CVE
CVE
added 2025/07/10 4:59 p.m.599 views

CVE-2025-53020

CVE-2025-53020 affects Apache HTTP Server versions 2.4.17 through 2.4.63. The issue is described as a Late Release of Memory after Effective Lifetime vulnerability. The recommended remediation is to upgrade to version 2.4.64, which fixes the issue. Public references from Debian, Amazon Linux advi...

7.5CVSS6.5AI score0.04409EPSS
CVE
CVE
added 2025/12/05 11:2 a.m.595 views

CVE-2025-66200

CVE-2025-66200 affects Apache HTTP Server 2.4.7–2.4.65. A mod_userdir+suexec bypass via AllowOverride FileInfo lets users with htaccess access to the RequestHeader directive cause some CGI scripts to execute under an unexpected userid. Connected advisories confirm the fix is in 2.4.66 (e.g., Debi...

5.4CVSS6.6AI score0.00591EPSS
CVE
CVE
added 2025/12/05 10:12 a.m.506 views

CVE-2025-55753

CVE-2025-55753 affects Apache HTTP Server (2.4.30–2.4.65). The issue is an integer overflow during failed ACME certificate renewals that, after ~30 days in default configs, causes the backoff timer to become 0. Thereafter, renewal attempts occur repeatedly without delays until success, potentiall...

7.5CVSS6.8AI score0.00417EPSS
CVE
CVE
added 2025/12/05 10:46 a.m.451 views

CVE-2025-65082

CVE-2025-65082 affects Apache HTTP Server 2.4.0–2.4.65, due to improper neutralization of Escape, Meta, or Control sequences in environment variables set via Apache config, which can supersede server-calculated CGI variables. The issue, identified across multiple advisories (Debian DLA-4452-1, AL...

6.5CVSS6.5AI score0.00771EPSS
CVE
CVE
added 2025/07/10 4:58 p.m.437 views

CVE-2025-49812

CVE-2025-49812 affects Apache HTTP Server (httpd) via mod_ssl in some mod_ssl configurations up to version 2.4.63. An HTTP desynchronisation attack lets a MITM hijack a session during TLS upgrade when SSLEngine optional is used. Upgrading to httpd 2.4.64 (which removes TLS upgrade support) is the...

7.4CVSS6.4AI score0.00512EPSS
CVE
CVE
added 2025/07/10 4:55 p.m.389 views

CVE-2024-47252

CVE-2024-47252 concerns the Apache HTTP Server’s mod_ssl: in versions up to 2.4.63, insufficient escaping of user-supplied data can allow an untrusted TLS client to insert escape characters into log files in some configurations (notably when CustomLog uses "%{varname}x" or "%{varname}c" to log mo...

7.5CVSS6.4AI score0.00669EPSS
CVE
CVE
added 2025/07/10 4:57 p.m.341 views

CVE-2025-49630

CVE-2025-49630 affects the Apache HTTP Server (httpd) mod_proxy_http2. In certain reverse-proxy configurations (HTTP/2 backend and ProxyPreserveHost set to “on”), untrusted clients can trigger an assertion in mod_proxy_http2, causing a denial-of-service on affected 2.4.26–2.4.63 servers. Connecte...

7.5CVSS6.5AI score0.01149EPSS
CVE
CVE
added 2025/07/10 4:53 p.m.327 views

CVE-2024-42516

CVE-2024-42516 affects Apache HTTP Server (httpd). The issue is HTTP response splitting caused by faulty input validation in the core, allowing manipulation of Content-Type headers to split responses. Reports indicate the vulnerability was discussed as CVE-2023-38709, with patches through 2.4.59 ...

7.5CVSS6.9AI score0.00679EPSS
CVE
CVE
added 2025/07/10 4:56 p.m.289 views

CVE-2024-43394

Summary of CVE-2024-43394 : A Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows could leak NTLM hashes via unvalidated input passed through mod_rewrite or Apache expressions. Affected versions are 2.4.0 through 2.4.63. The issue stems from how UNC paths may be unwittingly used, ...

7.5CVSS6.5AI score0.01094EPSS
CVE
CVE
added 2025/07/10 4:54 p.m.261 views

CVE-2024-43204

CVE-2024-43204 affects Apache HTTP Server when mod_proxy is loaded. The vulnerability permits SSRF by sending outbound proxy requests to a URL controlled by the attacker, requiring an unlikely configuration in which mod_headers modifies the Content-Type header with a value provided in the HTTP re...

7.5CVSS6.4AI score0.00772EPSS
CVE
CVE
added 2025/07/23 1:19 p.m.260 views

CVE-2025-54090

Summary of CVE-2025-54090 : The issue affects Apache HTTP Server, specifically version 2.4.64, where all "RewriteCond expr ..." tests evaluate as true due to a bug in the expression evaluation. The remedy is to upgrade to version 2.4.65, which includes the fix. The provided connected documents co...

6.3CVSS6.2AI score0.00685EPSS
CVE
CVE
added 2025/04/29 11:56 a.m.117 views

CVE-2025-3891

CVE-2025-3891 affects the Apache httpd mod_auth_openidc module. A remote, unauthenticated attacker can cause a DoS by sending an empty POST when the OIDCPreservePost directive is enabled, crashing the server and impacting availability. Evidence from multiple advisories confirms the issue and ment...

7.5CVSS5.2AI score0.01214EPSS