VYPR

Bitnami package

apache

pkg:bitnami/apache

Vulnerabilities (95)

  • CVE-2021-34798HigSep 16, 2021
    affected < 2.4.49fixed 2.4.49

    Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

  • CVE-2021-33193HigAug 16, 2021
    affected >= 2.4.17, < 2.4.49fixed 2.4.49

    A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

  • CVE-2021-31618HigJun 15, 2021
    affected >= 1.15.17, < 1.15.18fixed 1.15.18

    Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status

  • CVE-2021-30641MedJun 10, 2021
    affected >= 2.4.39, < 2.4.47fixed 2.4.47

    Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

  • CVE-2021-26691CriJun 10, 2021
    affected >= 2.4.0, < 2.4.47fixed 2.4.47

    In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow

  • CVE-2021-26690HigJun 10, 2021
    affected >= 2.4.0, < 2.4.47fixed 2.4.47

    Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service

  • CVE-2020-35452HigJun 10, 2021
    affected >= 2.4.0, < 2.4.47fixed 2.4.47

    Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation

  • CVE-2020-13950HigJun 10, 2021
    affected >= 2.4.41, < 2.4.47fixed 2.4.47

    Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service

  • CVE-2020-13938MedJun 10, 2021
    affected >= 2.4.0, < 2.4.47fixed 2.4.47

    Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows

  • CVE-2020-9490HigAug 7, 2020
    affected >= 2.4.20, < 2.4.46fixed 2.4.46

    Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate thi

  • CVE-2020-11993HigAug 7, 2020
    affected >= 2.4.20, < 2.4.44fixed 2.4.44

    Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" w

  • CVE-2020-11985MedAug 7, 2020
    affected >= 2.4.1, < 2.4.24fixed 2.4.24

    IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but

  • CVE-2020-11984CriAug 7, 2020
    affected >= 2.4.32, < 2.4.44fixed 2.4.44

    Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

  • CVE-2020-1927MedApr 2, 2020
    affected >= 2.4.0, < 2.4.42fixed 2.4.42

    In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.

  • CVE-2020-1934MedApr 1, 2020
    affected >= 2.4.0, < 2.4.42fixed 2.4.42

    In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.

Page 5 of 5