Lucene search
K
OracleInstantis Enterprisetrack

57 matches found

CVE
CVE
added 2019/04/08 9:31 p.m.14712 views

CVE-2019-0211

CVE-2019-0211 affects Apache HTTP Server 2.4.17–2.4.38 when using MPM event, worker, or prefork. The issue arises from code executing in less-privileged child processes/threads (including in-process scripting interpreters) that could be exploited to run arbitrary code with the privileges of the p...

7.8CVSS7.2AI score0.65005EPSS
In wildWeb
CVE
CVE
added 2020/08/07 3:27 p.m.11985 views

CVE-2020-11984

CVE-2020-11984 affects Apache HTTP Server mod_proxy_uwsgi. Based on the provided documents, it is a vulnerability in httpd’s uwsgi handling that can lead to information disclosure and potentially remote code execution. The vulnerability was reported for Apache HTTP Server versions around 2.4.32 t...

9.8CVSS9.3AI score0.90039EPSS
In wild
CVE
CVE
added 2021/06/10 7:10 a.m.7479 views

CVE-2021-26691

CVE-2021-26691 affects Apache HTTP Server, where a crafted SessionHeader can cause a heap overflow in 2.4.0–2.4.46. Several connected advisories indicate that updates have been released (e.g., AlmaLinux/CentOS/Red Hat ecosystems) and that newer Apache HTTP Server versions (e.g., 2.4.51 in Check P...

9.8CVSS9.2AI score0.68067EPSS
CVE
CVE
added 2021/12/20 12:0 a.m.7248 views

CVE-2021-44790

CVE-2021-44790 affects Apache HTTP Server up to version 2.4.51. It describes a buffer overflow in the mod_lua multipart parser (triggered via r:parsebody() from Lua scripts). Connected documents corroborate this in various advisories and patch notes, indicating releases with fixes (e.g., patched ...

9.8CVSS9.9AI score0.97108EPSS
Web
CVE
CVE
added 2021/09/16 2:40 p.m.6648 views

CVE-2021-39275

CVE-2021-39275 affects Apache HTTP Server (httpd) up to 2.4.48 and earlier. The issue is an out-of-bounds write in ap_escape_quotes() when given malicious input, potentially crashing the server or enabling code execution in some environments. Several connected sources concur this vulnerability ex...

9.8CVSS9.3AI score0.36339EPSS
CVE
CVE
added 2020/04/01 11:8 p.m.5896 views

CVE-2020-1927

CVE-2020-1927 affects Apache HTTP Server 2.4.0–2.4.41, where mod_rewrite redirects intended to be self-referential could be fooled by encoded newlines and redirect to an unexpected URL within the request. Multiple connected advisories confirm the issue and indicate that fixes were released in Apa...

6.1CVSS6.7AI score0.56691EPSS
CVE
CVE
added 2020/04/01 7:22 p.m.5486 views

CVE-2020-1934

CVE-2020-1934 affects Apache HTTP Server 2.4.0–2.4.41 via mod_proxy_ftp, which may use uninitialized memory when proxying to a malicious FTP backend. Public advisories confirm the fixes in Apache HTTP Server 2.4.43+ (e.g., ALAS-2020-1370/ALAS2-2020-1427), so upgrading to 2.4.43 or newer is the re...

5.3CVSS6AI score0.51951EPSS
In wild
CVE
CVE
added 2019/08/13 8:50 p.m.5316 views

CVE-2019-9517

CVE-2019-9517 describes an attack against some HTTP/2 implementations where unconstrained internal data buffering can cause a denial of service. The vulnerability arises when an attacker floods a connection with a large number of requests for a large response object while manipulating HTTP/2 flow...

7.8CVSS7.7AI score0.27004EPSS
CVE
CVE
added 2021/09/16 2:40 p.m.4722 views

CVE-2021-40438

CVE-2021-40438 is an SSRF flaw in Apache HTTP Server 2.4.x through older revisions where a crafted request URI path can cause mod_proxy to forward the request to an origin server chosen by the remote user. The issue affects Apache httpd 2.4.48 and earlier; the CVSSv3.1 base score is 9.0 (CRITICAL...

9CVSS9.5AI score0.99999EPSS
In wildWeb
CVE
CVE
added 2020/02/24 9:19 p.m.4245 views

CVE-2020-1938

CVE-2020-1938 (Tomcat AJP vulnerability) : The issue affects Apache Tomcat where the AJP Connector, enabled by default in several legacy releases, could be reached through untrusted networks. An attacker could exploit the configured AJP path to read arbitrary files in the web application and pote...

9.8CVSS9.9AI score0.9927EPSS
In wildWeb
CVE
CVE
added 2019/09/26 2:40 p.m.3492 views

CVE-2019-10082

CVE-2019-10082 affects Apache HTTP Server 2.4.18–2.4.39, where fuzzed network input could cause read-after-free in http/2 session shutdown. Impact: remote, unauthenticated triggering memory faults in httpd workers, enabling potential DoS and other consequences. Connected sources indicate remediat...

9.1CVSS8.9AI score0.16549EPSS
CVE
CVE
added 2021/10/05 8:40 a.m.3341 views

CVE-2021-41773

CVE-2021-41773 is a path traversal vulnerability in Apache HTTP Server 2.4.49 affecting how path normalization maps URLs to files under Alias-like directives. The issue could allow access to files outside configured directories; if CGI scripts are enabled for those paths, remote code execution is...

9.8CVSS9.2AI score0.99992EPSS
In wild
CVE
CVE
added 2020/08/07 3:24 p.m.3197 views

CVE-2020-9490

CVE-2020-9490 affects Apache HTTP Server versions 2.4.20–2.4.43. A specially crafted value for the Cache-Digest header in an HTTP/2 request could cause a crash when the server subsequently attempts to HTTP/2 PUSH a resource. Mitigation for unpatched servers is to disable HTTP/2 PUSH via H2Push of...

7.5CVSS8.3AI score0.89744EPSS
In wild
CVE
CVE
added 2020/08/07 3:32 p.m.3075 views

CVE-2020-11993

CVE-2020-11993 affects Apache HTTP Server 2.4.20–2.4.43: when trace/debug is enabled for the HTTP/2 module and certain traffic patterns, logging can be performed on the wrong connection, leading to concurrent use of memory pools. Mitigation in public advisories: set LogLevel for mod_http2 above i...

7.5CVSS8.6AI score0.58716EPSS
In wild
CVE
CVE
added 2021/12/20 11:20 a.m.2718 views

CVE-2021-44224

CVE-2021-44224 concerns Apache HTTP Server (httpd) with the mod_proxy forward proxy configuration. A crafted URI to a forward proxy (ProxyRequests on) can trigger a NULL pointer dereference, causing a crash. In configurations that mix forward and reverse proxy declarations, it can enable requests...

8.2CVSS8.7AI score0.82295EPSS
CVE
CVE
added 2021/06/10 7:10 a.m.2546 views

CVE-2020-35452

The CVE-2020-35452 entry concerns Apache HTTP Server 2.4.0–2.4.46, where a specially crafted Digest nonce can trigger a stack overflow in mod_auth_digest. The description notes there was no reported exploit against Apache at the time, though certain compiler/compile options might enable it with l...

7.3CVSS8.5AI score0.53191EPSS
CVE
CVE
added 2021/10/07 3:50 p.m.2289 views

CVE-2021-42013

Summary: CVE-2021-42013 covers an incomplete fix to CVE-2021-41773 in Apache HTTP Server 2.4.49/2.4.50. Root cause: path traversal vulnerabilities in the 2.4.50 fix could map URLs outside configured directories; if CGI is enabled for aliased paths, remote code execution could occur. Affected vers...

9.8CVSS9.4AI score0.99964EPSS
In wild
CVE
CVE
added 2019/06/11 9:35 p.m.2159 views

CVE-2019-0197

The CVE-2019-0197 entry concerns Apache HTTP Server 2.4.34–2.4.38. When HTTP/2 is enabled for an http: host or H2Upgrade is enabled for h2 on an https: host, an Upgrade request from http/1.1 to http/2 that is not the first request on a connection could cause misconfiguration and crash. Servers th...

4.9CVSS5.5AI score0.08441EPSS
CVE
CVE
added 2021/06/10 7:10 a.m.2052 views

CVE-2021-26690

CVE-2021-26690 affects Apache HTTP Server 2.4.0–2.4.46 due to a NULL pointer dereference in mod_session when parsing a crafted Cookie header, leading to Denial of Service. Public advisories and vendor pages confirm a patch exists in newer httpd releases (e.g., 2.4.46+/2.4.51 in various distributi...

7.5CVSS8.6AI score0.65067EPSS
CVE
CVE
added 2021/09/16 2:40 p.m.2025 views

CVE-2021-34798

CVE-2021-34798 is a vulnerability in Apache HTTP Server where malformed requests may cause a NULL pointer dereference in the httpd core. The issue affects Apache HTTP Server 2.4.48 and earlier, and the resulting crash can lead to a Denial of Service. Multiple connected advisories confirm the same...

7.5CVSS8.8AI score0.64509EPSS
CVE
CVE
added 2021/06/10 7:10 a.m.1802 views

CVE-2019-17567

CVE-2019-17567 affects Apache HTTP Server 2.4.x where mod_proxy_wstunnel on a URL not guaranteed to be upgraded by the origin server tunnels the entire connection, allowing subsequent requests on the same TCP connection to bypass HTTP validation, authentication, or authorization. Public reference...

5.3CVSS7AI score0.60266EPSS
CVE
CVE
added 2018/09/25 9:0 p.m.1655 views

CVE-2018-11763

CVE-2018-11763 affects Apache HTTP Server 2.4.17–2.4.34 and targets the HTTP/2 implementation. The issue arises when a client sends continuous, large SETTINGS frames, allowing a single connection to occupy a server thread and CPU time without triggering a connection timeout. Impact is limited to ...

5.9CVSS5.6AI score0.51002EPSS
CVE
CVE
added 2017/10/03 3:0 p.m.1604 views

CVE-2017-12617

CVE-2017-12617 concerns Apache Tomcat JSP upload via HTTP PUT when readonly=false and PUTs are allowed. Affected: Tomcat 7.x/8.x/9.x (various 7.0.0–7.0.81, 8.0.0.RC1–8.0.46, 8.5.0–8.5.22, 9.0.0.M1–9.0.0) with PUT enabled. Root cause: PUT request handling allowed uploading a JSP, enabling remote c...

8.1CVSS7.5AI score0.99988EPSS
In wild
CVE
CVE
added 2021/09/16 2:40 p.m.1523 views

CVE-2021-36160

CVE-2021-36160 affects Apache HTTP Server mod_proxy_uwsgi. A crafted request URI-path can cause mod_proxy_uwsgi to read beyond allocated memory, triggering a DoS. The issue is reported for Apache httpd versions 2.4.30–2.4.48. Public sources in connected documents corroborate the impact as an out-...

7.5CVSS8.5AI score0.62887EPSS
In wild
CVE
CVE
added 2020/05/20 6:26 p.m.1516 views

CVE-2020-9484

CVE-2020-9484 is a deserialization flaw in Apache Tomcat that, under a specific FileStore PersistenceManager configuration and a crafted request, can trigger remote code execution. Affected are Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61, and 7.0.0 to 7.0.107 when the...

7CVSS7.5AI score0.56636EPSS
CVE
CVE
added 2019/09/26 2:21 p.m.1495 views

CVE-2019-10097

CVE-2019-10097 affects Apache HTTP Server 2.4.32–2.4.39 when mod_remoteip is configured to use a trusted intermediary proxy server via the PROXY protocol. A specially crafted PROXY header can trigger a stack buffer overflow or NULL pointer dereference, potentially crashing the server or impacting...

7.2CVSS8AI score0.52873EPSS
CVE
CVE
added 2020/02/24 9:11 p.m.1473 views

CVE-2020-1935

CVE-2020-1935 affects Apache Tomcat across multiple branches: 9.0.0.M1–9.0.30, 8.5.0–8.5.50, and 7.0.0–7.0.99. It stems from HTTP header parsing that can mishandle end-of-line and Transfer-Encoding, enabling HTTP Request Smuggling when Tomcat sits behind certain reverse proxies. Impact is informa...

5.8CVSS7.4AI score0.09386EPSS
CVE
CVE
added 2019/12/23 4:39 p.m.1243 views

CVE-2019-17563

Tomcat CVE-2019-17563: A race-condition in FORM authentication allowed a session-fixation window in Tomcat 9.0.0.M1–9.0.29, 8.5.0–8.5.49, and 7.0.0–7.0.98. The issue is acknowledged as a vulnerability with practical exploitation not detailed in the provided docs. Affected products: Apache Tomcat....

7.5CVSS7.7AI score0.10687EPSS
CVE
CVE
added 2021/06/10 7:10 a.m.1233 views

CVE-2021-30641

CVE-2021-30641 affects Apache HTTP Server 2.4.39–2.4.46 with unexpected matching behavior when MergeSlashes OFF. Connected sources indicate patched versions: Debian fixes in 2.4.38-based packages, AlmaLinux/RedHat advisories reference a fix in Apache 2.4.51 for supported Check Point versions, and...

5.3CVSS7.5AI score0.52331EPSS
CVE
CVE
added 2021/06/10 7:10 a.m.1219 views

CVE-2020-13950

CVE-2020-13950 affects Apache HTTP Server (httpd) mod_proxy_http, with versions 2.4.41–2.4.46 vulnerable to a NULL pointer dereference triggered by specially crafted requests using both Content-Length and Transfer-Encoding headers, causing Denial of Service. Connected documents confirm impact as ...

7.5CVSS8.4AI score0.49089EPSS
CVE
CVE
added 2021/12/18 11:55 a.m.1186 views

CVE-2021-45105

Summary of CVE-2021-45105 (Log4j2) : Affected Log4j 2.x versions 2.0-alpha1 through 2.16.0 (except 2.12.3 and 2.3.1) are vulnerable to denial of service via uncontrolled recursion triggered by self-referential lookups in Thread Context Map data. The root cause is improper handling of self-referen...

5.9CVSS7.7AI score0.99999EPSS
In wildWeb
CVE
CVE
added 2019/01/30 10:0 p.m.1159 views

CVE-2018-17189

CVE-2018-17189 : In Apache HTTP Server 2.4.37 and earlier, mod_http2 can cause a DoS by handling slowloris-style request bodies, unnecessarily occupying a server thread for the h2 stream on HTTP/2 connections. Affected product: Apache HTTP Server with mod_http2. Impact: denial of service via thre...

5.3CVSS6.1AI score0.19404EPSS
CVE
CVE
added 2020/07/14 3:0 p.m.974 views

CVE-2020-13935

CVE-2020-13935 affects Apache Tomcat: the WebSocket frame payload length was not properly validated, which could trigger an infinite loop and allow DoS via multiple invalid payloads. Affected: Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56, and 7.0.27 to 7.0.104. The initial d...

7.5CVSS7.5AI score0.87553EPSS
CVE
CVE
added 2021/03/01 12:0 p.m.968 views

CVE-2021-25329

The CVE-2021-25329 entry is tied to an incomplete fix for CVE-2020-9484 in Apache Tomcat. In affected releases (Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61, and 7.0.0 to 7.0.107) a configuration edge case that was deemed highly unlikely could leave the Tomcat instance vulnerab...

7CVSS7.3AI score0.09491EPSS
CVE
CVE
added 2021/06/29 10:55 a.m.964 views

CVE-2021-33503

CVE-2021-33503 affects urllib3 prior to 1.26.5, where the authority component regex can catastrophically backtrack on URLs containing many @ characters, leading to denial of service via parameters or redirects. Several connected sources note a patched version is available (e.g., python-urllib3 up...

7.5CVSS7.4AI score0.03273EPSS
CVE
CVE
added 2021/03/01 12:0 p.m.926 views

CVE-2021-25122

CVE-2021-25122 affects Apache Tomcat across multiple lines: 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, and 8.5.0 to 8.5.61. The issue allows duplicating request headers and a limited amount of request body from one request to another, enabling cross-user visibility of results (information disclosur...

7.5CVSS6.9AI score0.18114EPSS
CVE
CVE
added 2020/12/03 6:30 p.m.783 views

CVE-2020-17527

CVE-2020-17527 affects multiple Apache Tomcat releases where HTTP/2 stream handling could cause information leakage by reusing an HTTP request header value from a previous stream for the next stream. Affected products/versions include Tomcat 10.0.0-M1–M9, 9.0.0-M1–9.0.39, and 8.5.0–8.5.59; the is...

7.5CVSS7.5AI score0.24622EPSS
CVE
CVE
added 2020/10/12 1:46 p.m.766 views

CVE-2020-13943

CVE-2020-13943 affects Apache Tomcat across multiple lines: 8.5.x (8.5.0–8.5.57), 9.0.x (9.0.0.M1–9.0.37), and 10.0.x (10.0.0-M1–10.0.0-M7). The flaw occurs when an HTTP/2 client exceeds the maximum concurrent streams, causing a subsequent request on the same connection to carry headers from a pr...

4.3CVSS4.7AI score0.57286EPSS
CVE
CVE
added 2018/10/04 1:0 p.m.752 views

CVE-2018-11784

CVE-2018-11784 affects Apache Tomcat: the default servlet could be tricked into generating redirects to arbitrary URIs when handling requests like /foo, enabling open redirect. Affected branches include 9.0.x (9.0.0.M1–9.0.11), 8.5.x (8.5.0–8.5.33), and 7.0.x (7.0.23–7.0.90). Root cause is how th...

4.3CVSS5.1AI score0.94494EPSS
Web
CVE
CVE
added 2021/06/15 12:0 a.m.701 views

CVE-2021-31618

CVE-2021-31618 affects the Apache httpd mod_http2 component. The issue is a NULL pointer dereference in the HTTP/2 header handling when size limits are violated, leading to denial of service by crashing the httpd worker process. Affected releases include mod_http2 1.15.17 and Apache httpd 2.4.47 ...

7.5CVSS7.7AI score0.51208EPSS
In wild
CVE
CVE
added 2021/10/05 8:40 a.m.659 views

CVE-2021-41524

CVE-2021-41524 affects Apache HTTP Server (httpd) 2.4.49, where a null pointer dereference during HTTP/2 request processing can allow external sources to cause a DoS. The flaw was introduced with 2.4.49; no public exploit is shown in the documents. Check Point’s November 2021 advisory maps this C...

7.5CVSS7.4AI score0.24982EPSS
CVE
CVE
added 2020/07/14 2:59 p.m.626 views

CVE-2020-13934

CVE-2020-13934 affects multiple Apache Tomcat releases (8.5.1–8.5.56, 9.0.x, 10.0.x up to M6) where an h2c direct connection didn’t release the HTTP/1.1 processor after upgrading to HTTP/2, potentially causing OutOfMemoryError and denial of service. Public advisories across vendors and distributi...

7.5CVSS7.3AI score0.64124EPSS
CVE
CVE
added 2021/07/12 2:55 p.m.607 views

CVE-2021-33037

CVE-2021-33037 affects Apache Tomcat: versions 10.0.0-M1–10.0.6, 9.0.0.M1–9.0.46, and 8.5.0–8.5.66 may mishandle the HTTP transfer-encoding header with reverse proxies, enabling request smuggling. Root cause: improper header handling allowing spoofed content encoding sequencing. Impact stated in ...

5.3CVSS6.1AI score0.75353EPSS
CVE
CVE
added 2017/04/17 9:0 p.m.603 views

CVE-2017-5645

CVE-2017-5645 affects Apache Log4j 2.x prior to 2.8.2. The vulnerability arises when using a TCP/UDP socket server to receive serialized log events from another application; a crafted binary payload can be deserialized to execute arbitrary code. The documented impact is remote code execution via ...

9.8CVSS9.5AI score0.8904EPSS
CVE
CVE
added 2021/06/07 12:1 p.m.571 views

CVE-2021-22222

Wireshark is affected by CVE-2021-22222 due to an infinite loop in the DVB-S2-BB dissector, impacting 3.4.0 through 3.4.5 and enabling a denial-of-service via crafted captures or packet injection. The issue originates in the DVB-S2-BB parser; exploiting it causes the Wireshark process to hang, co...

7.5CVSS7.4AI score0.01789EPSS
CVE
CVE
added 2020/02/24 9:4 p.m.546 views

CVE-2019-17569

CVE-2019-17569: In Apache Tomcat, a regression from refactoring in 9.0.28–9.0.30, 8.5.48–8.5.50, and 7.0.98–7.0.99 caused invalid Transfer-Encoding header handling, enabling HTTP Request Smuggling behind a misconfigured reverse proxy. Connected advisories show mitigations: Amazon Linux 2 ALAS2TOM...

5.8CVSS7AI score0.08872EPSS
CVE
CVE
added 2020/04/09 2:49 a.m.510 views

CVE-2020-11655

SQLite through 3.31.1 is vulnerable to denial of service via a malformed window-function query caused by improper AggInfo initialization (CVE-2020-11655). Affected is the sqlite3 library used across distributions and apps; exploitation leads to segmentation faults. Remediation in the connected ad...

7.5CVSS7.9AI score0.04856EPSS
CVE
CVE
added 2019/01/30 10:0 p.m.500 views

CVE-2019-0190

Apache HTTP Server mod_ssl denial of service (CVE-2019-0190) occurs when renegotiations are mishandled with OpenSSL 1.1.1+, causing a loop and potential DoS. According to ALAS-2019-1166 and related advisories, the fix is to upgrade to Apache httpd 2.4.38 (mod_ssl 2.4.38) or newer; affected compon...

7.5CVSS7.1AI score0.59942EPSS
CVE
CVE
added 2019/10/23 7:27 p.m.345 views

CVE-2019-12415

CVE-2019-12415 affects Apache POI up to version 4.1.0. The vulnerability arises when using the tool XSSFExportToXml to convert user-supplied Excel documents, allowing an attacker to read local filesystem or internal network resources via XML External Entity (XXE) processing. The Connected documen...

5.5CVSS6.7AI score0.0099EPSS
CVE
CVE
added 2019/05/01 8:3 p.m.300 views

CVE-2019-0227

The CVE-2019-0227 entry concerns an SSRF in Apache Axis 1.4 (last released in 2006). The connected IBM bulletins confirm Axis 1.x vulnerability details and state Axis 2 is the successor, with 1.7.9 (Axis2) being not vulnerable. Affected Axis 1.x components are legacy; remediation is to upgrade to...

7.5CVSS8.3AI score0.86503EPSS
Web
Total number of security vulnerabilities57