Lucene search

K
ApacheHttp Server

301 matches found

CVE
CVE
added 2009/05/28 8:30 p.m.344 views

CVE-2009-1195

The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then...

4.9CVSS7.3AI score0.00128EPSS
CVE
CVE
added 2018/07/18 2:29 p.m.338 views

CVE-2018-8011

By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.33).

7.5CVSS7.3AI score0.3815EPSS
CVE
CVE
added 2009/06/08 1:0 a.m.334 views

CVE-2009-1955

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number ...

7.5CVSS6.9AI score0.03518EPSS
CVE
CVE
added 2007/01/05 6:28 p.m.298 views

CVE-2007-0086

The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. NOTE: the severity of this issue has been disputed by...

7.8CVSS7.3AI score0.02043EPSS
CVE
CVE
added 2008/01/12 12:46 a.m.296 views

CVE-2007-6423

Unspecified vulnerability in mod_proxy_balancer for Apache HTTP Server 2.2.x before 2.2.7-dev, when running on Windows, allows remote attackers to trigger memory corruption via a long URL. NOTE: the vendor could not reproduce this issue

7.8CVSS6.5AI score0.02941EPSS
CVE
CVE
added 2007/03/16 10:19 p.m.276 views

CVE-2007-0450

Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "" (ba...

5CVSS6.2AI score0.85693EPSS
CVE
CVE
added 2007/12/03 10:46 p.m.274 views

CVE-2007-6203

Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary head...

4.3CVSS7.6AI score0.80153EPSS
CVE
CVE
added 2024/07/18 10:15 a.m.274 views

CVE-2024-40725

A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local conten...

5.3CVSS7.4AI score0.24775EPSS
CVE
CVE
added 2007/12/13 6:46 p.m.266 views

CVE-2007-5000

Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified v...

4.3CVSS8AI score0.71173EPSS
CVE
CVE
added 2007/10/18 10:0 a.m.260 views

CVE-2002-2272

Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values.

7.8CVSS6.7AI score0.20744EPSS
CVE
CVE
added 2012/01/28 4:5 a.m.257 views

CVE-2012-0021

The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks bot...

2.6CVSS8.8AI score0.26185EPSS
CVE
CVE
added 2000/03/22 5:0 a.m.252 views

CVE-1999-0678

A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server.

5CVSS6.6AI score0.17194EPSS
CVE
CVE
added 2009/10/13 10:30 a.m.251 views

CVE-2009-2699

The Solaris pollset feature in the Event Port backend in poll/unix/port.c in the Apache Portable Runtime (APR) library before 1.3.9, as used in the Apache HTTP Server before 2.2.14 and other products, does not properly handle errors, which allows remote attackers to cause a denial of service (daemo...

7.5CVSS7.3AI score0.0901EPSS
CVE
CVE
added 2017/07/13 4:29 p.m.247 views

CVE-2017-9789

When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.

7.5CVSS8.2AI score0.11834EPSS
CVE
CVE
added 2008/01/25 1:0 a.m.246 views

CVE-2008-0456

CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response...

2.6CVSS7.2AI score0.0661EPSS
CVE
CVE
added 2007/04/13 4:19 p.m.236 views

CVE-2007-1741

Multiple race conditions in suexec in Apache HTTP Server (httpd) 2.2.3 between directory and file validation, and their usage, allow local users to gain privileges and execute arbitrary code by renaming directories or performing symlink attacks. NOTE: the researcher, who is reliable, claims that th...

6.2CVSS7.2AI score0.00068EPSS
CVE
CVE
added 2008/06/13 6:41 p.m.235 views

CVE-2008-2364

The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of inter...

5CVSS7.2AI score0.01714EPSS
CVE
CVE
added 2008/01/08 6:46 p.m.213 views

CVE-2007-6388

Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS8AI score0.65396EPSS
CVE
CVE
added 2006/07/28 12:4 a.m.211 views

CVE-2006-3918

http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-s...

4.3CVSS7AI score0.80153EPSS
CVE
CVE
added 2003/11/03 5:0 a.m.194 views

CVE-2003-0542

Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.

7.2CVSS7.8AI score0.00669EPSS
CVE
CVE
added 2007/06/27 5:30 p.m.192 views

CVE-2006-5752

Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with bro...

4.3CVSS5.7AI score0.06389EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.189 views

CVE-2002-0392

Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a chunk-encoded HTTP request that causes Apache to use an incorrect size.

7.5CVSS7.4AI score0.60117EPSS
CVE
CVE
added 2008/01/08 6:46 p.m.186 views

CVE-2007-6422

The balancer_handler function in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6, when a threaded Multi-Processing Module is used, allows remote authenticated users to cause a denial of service (child process crash) via an invalid bb variable.

4CVSS5.8AI score0.00611EPSS
CVE
CVE
added 2008/01/12 12:46 a.m.185 views

CVE-2007-6420

Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers to gain privileges via unspecified vectors.

4.3CVSS6.7AI score0.16983EPSS
CVE
CVE
added 2007/09/14 12:17 a.m.184 views

CVE-2007-4465

Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that t...

6.1CVSS5.4AI score0.0895EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.180 views

CVE-2003-0020

Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.

5CVSS7.7AI score0.14397EPSS
CVE
CVE
added 2006/10/16 7:7 p.m.178 views

CVE-2006-4154

Format string vulnerability in the mod_tcl module 1.0 for Apache 2.x allows context-dependent attackers to execute arbitrary code via format string specifiers that are not properly handled in a set_var function call in (1) tcl_cmds.c and (2) tcl_core.c.

6.8CVSS7.3AI score0.04869EPSS
CVE
CVE
added 2005/04/21 4:0 a.m.176 views

CVE-2004-1082

mod_digest_apple for Apache 1.3.31 and 1.3.32 on Mac OS X Server does not properly verify the nonce of a client response, which allows remote attackers to replay credentials.

7.5CVSS8.1AI score0.05081EPSS
CVE
CVE
added 2012/08/22 7:55 p.m.176 views

CVE-2012-3502

The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp module and (2) mod_proxy_http.c in the mod_proxy_http module in the Apache HTTP Server 2.4.x before 2.4.3 does not properly determine the situations that require closing a back-end connection, which allows remote attackers to obtai...

4.3CVSS6AI score0.04747EPSS
CVE
CVE
added 2008/01/08 7:46 p.m.175 views

CVE-2007-6421

Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) ss, (2) wr, or (3) rr parameters, or (4) the URL.

3.5CVSS7.8AI score0.02116EPSS
CVE
CVE
added 2009/12/04 9:30 p.m.174 views

CVE-2009-3560

The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProl...

5CVSS7.5AI score0.00946EPSS
CVE
CVE
added 2005/08/05 4:0 a.m.167 views

CVE-2005-1268

Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.

5CVSS6.6AI score0.01988EPSS
CVE
CVE
added 2009/11/03 4:30 p.m.167 views

CVE-2009-3720

The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read...

5CVSS7AI score0.00946EPSS
CVE
CVE
added 2003/11/03 5:0 a.m.166 views

CVE-2003-0789

mod_cgid in Apache before 2.0.48, when using a threaded MPM, does not properly handle CGI redirect paths, which could cause Apache to send the output of a CGI program to the wrong client.

10CVSS7.3AI score0.10113EPSS
CVE
CVE
added 2010/10/04 9:0 p.m.166 views

CVE-2010-1623

Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory co...

5CVSS6.3AI score0.14655EPSS
CVE
CVE
added 2009/09/08 6:30 p.m.165 views

CVE-2009-3094

The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command.

2.6CVSS6.4AI score0.03285EPSS
CVE
CVE
added 2008/05/13 9:20 p.m.153 views

CVE-2008-2168

Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page.

4.3CVSS5.4AI score0.64917EPSS
CVE
CVE
added 2007/04/13 5:19 p.m.146 views

CVE-2007-1743

suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combinations of user and group IDs on the command line, which might allow local users to leverage other vulnerabilities to create arbitrary UID/GID owned files if /proc is mounted. NOTE: the researcher, who is reliable, claims that the vend...

4.4CVSS6.5AI score0.0011EPSS
CVE
CVE
added 2007/06/20 10:30 p.m.141 views

CVE-2007-3304

Apache httpd 1.3.37, 2.0.59, and 2.2.4 with the Prefork MPM module, allows local users to cause a denial of service by modifying the worker_score and process_score arrays to reference an arbitrary process ID, which is sent a SIGUSR1 signal from the master process, aka "SIGUSR1 killer."

4.7CVSS6.2AI score0.00143EPSS
CVE
CVE
added 2004/07/07 4:0 a.m.139 views

CVE-2004-0488

Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN.

7.5CVSS9.7AI score0.26607EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.133 views

CVE-2003-0993

mod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions.

7.5CVSS7.3AI score0.13904EPSS
CVE
CVE
added 2007/04/13 5:19 p.m.132 views

CVE-2007-1742

suexec in Apache HTTP Server (httpd) 2.2.3 uses a partial comparison for verifying whether the current directory is within the document root, which might allow local users to perform unauthorized operations on incorrect directories, as demonstrated using "html_backup" and "htmleditor" under an "htm...

3.7CVSS6AI score0.00146EPSS
CVE
CVE
added 2009/06/08 1:0 a.m.132 views

CVE-2009-1956

Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.

6.4CVSS7.4AI score0.05939EPSS
CVE
CVE
added 2004/09/01 4:0 a.m.131 views

CVE-2002-0840

Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header, a different vuln...

6.8CVSS8.4AI score0.88769EPSS
CVE
CVE
added 2006/08/14 8:4 p.m.131 views

CVE-2006-4110

Apache 2.2.2, when running on Windows, allows remote attackers to read source code of CGI programs via a request that contains uppercase (or alternate case) characters that bypass the case-sensitive ScriptAlias directive, but allow access to the file on case-insensitive file systems.

4.3CVSS6.8AI score0.3219EPSS
CVE
CVE
added 2025/07/10 5:15 p.m.128 views

CVE-2025-23048

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trus...

9.1CVSS6.5AI score0.00059EPSS
CVE
CVE
added 2003/04/02 5:0 a.m.127 views

CVE-2002-0061

Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell metacharacters (a | pipe character) provided as arguments to batch (.bat) or .cmd scripts, which are sent unfiltered to the shell interpreter, typically cmd.exe.

7.5CVSS7.5AI score0.83651EPSS
CVE
CVE
added 2002/06/25 4:0 a.m.126 views

CVE-2001-0731

Apache 1.3.20 with Multiviews enabled allows remote attackers to view directory contents and bypass the index page via a URL containing the "M=D" query string.

5CVSS6.4AI score0.61594EPSS
CVE
CVE
added 2003/06/09 4:0 a.m.125 views

CVE-2003-0245

Vulnerability in the apr_psprintf function in the Apache Portable Runtime (APR) library for Apache 2.0.37 through 2.0.45 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long strings, as demonstrated using XML objects to mod_dav, and possibly othe...

5CVSS7.7AI score0.78915EPSS
CVE
CVE
added 2004/11/03 5:0 a.m.125 views

CVE-2004-0885

The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the "SSLCipherSuite" directive in directory or location context, allows remote clients to bypass intended restrictions by using any cipher suite that is allowed by the virtual host configuration.

7.5CVSS8AI score0.19744EPSS
Total number of security vulnerabilities301