Filtered by vendor Apache Subscriptions
Filtered by product Http Server Subscriptions
Total 306 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2018-8011 2 Apache, Netapp 2 Http Server, Cloud Backup 2024-09-16 N/A
By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.33).
CVE-2016-2161 2 Apache, Redhat 4 Http Server, Enterprise Linux, Jboss Core Services and 1 more 2024-09-16 N/A
In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.
CVE-2013-0942 3 Apache, Emc, Microsoft 3 Http Server, Rsa Authentication Agent, Internet Information Server 2024-09-16 N/A
Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Agent 7.1 before 7.1.1 for Web for Internet Information Services, and 7.1 before 7.1.1 for Web for Apache, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2002-2012 1 Apache 1 Http Server 2024-09-16 N/A
Unknown vulnerability in Apache 1.3.19 running on HP Secure OS for Linux 1.0 allows remote attackers to cause "unexpected results" via an HTTP request.
CVE-2017-9789 1 Apache 1 Http Server 2024-09-16 N/A
When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.
CVE-2016-4975 2 Apache, Redhat 3 Http Server, Enterprise Linux, Jboss Core Services 2024-09-16 N/A
Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31).
CVE-2018-1283 5 Apache, Canonical, Debian and 2 more 10 Http Server, Ubuntu Linux, Debian Linux and 7 more 2024-09-16 N/A
In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.
CVE-2018-17199 6 Apache, Canonical, Debian and 3 more 9 Http Server, Ubuntu Linux, Debian Linux and 6 more 2024-09-16 N/A
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
CVE-2018-1312 5 Apache, Canonical, Debian and 2 more 15 Http Server, Ubuntu Linux, Debian Linux and 12 more 2024-09-16 9.8 Critical
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.
CVE-2001-1556 1 Apache 1 Http Server 2024-09-16 3.3 Low
The log files in Apache web server contain information directly supplied by clients and does not filter or quote control characters, which could allow remote attackers to hide HTTP requests and spoof source IP addresses when logs are viewed with UNIX programs such as cat, tail, and grep.
CVE-2017-9788 6 Apache, Apple, Debian and 3 more 18 Http Server, Mac Os X, Debian Linux and 15 more 2024-09-16 N/A
In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service.
CVE-2016-0736 2 Apache, Redhat 4 Http Server, Enterprise Linux, Jboss Core Services and 1 more 2024-09-16 N/A
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.
CVE-2018-1301 5 Apache, Canonical, Debian and 2 more 10 Http Server, Ubuntu Linux, Debian Linux and 7 more 2024-09-16 N/A
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.
CVE-2003-1581 1 Apache 1 Http Server 2024-09-16 N/A
The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue.
CVE-2016-8743 4 Apache, Debian, Netapp and 1 more 13 Http Server, Debian Linux, Clustered Data Ontap and 10 more 2024-09-16 7.5 High
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.
CVE-2013-5697 2 Apache, Simone Tellini 2 Http Server, Mod Accounting 2024-09-16 N/A
SQL injection vulnerability in mod_accounting.c in the mod_accounting module 0.5 and earlier for Apache allows remote attackers to execute arbitrary SQL commands via a Host header.
CVE-2024-40898 3 Apache, Microsoft, Redhat 3 Http Server, Windows, Jboss Core Services 2024-09-13 7.5 High
SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue. 
CVE-2024-39573 2 Apache, Redhat 4 Http Server, Enterprise Linux, Jboss Core Services and 1 more 2024-09-13 7.5 High
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
CVE-2024-38477 3 Apache, Netapp, Redhat 9 Http Server, Clustered Data Ontap, Enterprise Linux and 6 more 2024-09-13 7.5 High
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.
CVE-2024-38474 3 Apache, Netapp, Redhat 9 Http Server, Clustered Data Ontap, Enterprise Linux and 6 more 2024-09-13 9.8 Critical
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.