15 matches found
CVE-2025-23048
Affected software: Apache HTTP Server (httpd). CVE-2025-23048 describes an access-control bypass in mod_ssl when TLS 1.3 session resumption is used in configurations with multiple virtual hosts, each with different trusted client certificates; a client trusted for one vhost could access another i...
CVE-2025-58098
CVE-2025-58098 affects Apache HTTP Server 2.4.65 and earlier when Server Side Includes (SSI) is enabled and mod_cgid (not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives, enabling potential command injection. The issue impacts Apache HTTP Server before 2.4.66; remedia...
CVE-2025-59775
CVE-2025-59775 : SSRF in Apache HTTP Server on Windows when AllowEncodedSlashes On and MergeSlashes Off can leak NTLM hashes to a malicious server. Affected: Apache HTTP Server (Windows). Root cause: SSRF via UNC/NTLM-related handling as described in multiple security bulletins. Remediation: upgr...
CVE-2025-53020
CVE-2025-53020 affects Apache HTTP Server versions 2.4.17 through 2.4.63. The issue is described as a Late Release of Memory after Effective Lifetime vulnerability. The recommended remediation is to upgrade to version 2.4.64, which fixes the issue. Public references from Debian, Amazon Linux advi...
CVE-2025-66200
CVE-2025-66200 affects Apache HTTP Server 2.4.7–2.4.65. A mod_userdir+suexec bypass via AllowOverride FileInfo lets users with htaccess access to the RequestHeader directive cause some CGI scripts to execute under an unexpected userid. Connected advisories confirm the fix is in 2.4.66 (e.g., Debi...
CVE-2025-55753
CVE-2025-55753 affects Apache HTTP Server (2.4.30–2.4.65). The issue is an integer overflow during failed ACME certificate renewals that, after ~30 days in default configs, causes the backoff timer to become 0. Thereafter, renewal attempts occur repeatedly without delays until success, potentiall...
CVE-2025-65082
CVE-2025-65082 affects Apache HTTP Server 2.4.0–2.4.65, due to improper neutralization of Escape, Meta, or Control sequences in environment variables set via Apache config, which can supersede server-calculated CGI variables. The issue, identified across multiple advisories (Debian DLA-4452-1, AL...
CVE-2025-49812
CVE-2025-49812 affects Apache HTTP Server (httpd) via mod_ssl in some mod_ssl configurations up to version 2.4.63. An HTTP desynchronisation attack lets a MITM hijack a session during TLS upgrade when SSLEngine optional is used. Upgrading to httpd 2.4.64 (which removes TLS upgrade support) is the...
CVE-2024-47252
CVE-2024-47252 concerns the Apache HTTP Server’s mod_ssl: in versions up to 2.4.63, insufficient escaping of user-supplied data can allow an untrusted TLS client to insert escape characters into log files in some configurations (notably when CustomLog uses "%{varname}x" or "%{varname}c" to log mo...
CVE-2025-49630
CVE-2025-49630 affects the Apache HTTP Server (httpd) mod_proxy_http2. In certain reverse-proxy configurations (HTTP/2 backend and ProxyPreserveHost set to “on”), untrusted clients can trigger an assertion in mod_proxy_http2, causing a denial-of-service on affected 2.4.26–2.4.63 servers. Connecte...
CVE-2024-42516
CVE-2024-42516 affects Apache HTTP Server (httpd). The issue is HTTP response splitting caused by faulty input validation in the core, allowing manipulation of Content-Type headers to split responses. Reports indicate the vulnerability was discussed as CVE-2023-38709, with patches through 2.4.59 ...
CVE-2024-43394
Summary of CVE-2024-43394 : A Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows could leak NTLM hashes via unvalidated input passed through mod_rewrite or Apache expressions. Affected versions are 2.4.0 through 2.4.63. The issue stems from how UNC paths may be unwittingly used, ...
CVE-2024-43204
CVE-2024-43204 affects Apache HTTP Server when mod_proxy is loaded. The vulnerability permits SSRF by sending outbound proxy requests to a URL controlled by the attacker, requiring an unlikely configuration in which mod_headers modifies the Content-Type header with a value provided in the HTTP re...
CVE-2025-54090
Summary of CVE-2025-54090 : The issue affects Apache HTTP Server, specifically version 2.4.64, where all "RewriteCond expr ..." tests evaluate as true due to a bug in the expression evaluation. The remedy is to upgrade to version 2.4.65, which includes the fix. The provided connected documents co...
CVE-2025-3891
CVE-2025-3891 affects the Apache httpd mod_auth_openidc module. A remote, unauthenticated attacker can cause a DoS by sending an empty POST when the OIDCPreservePost directive is enabled, crashing the server and impacting availability. Evidence from multiple advisories confirms the issue and ment...