Bitnami package
apache
pkg:bitnami/apache
Vulnerabilities (95)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-34798 | Hig | 7.5 | < 2.4.49 | 2.4.49 | Sep 16, 2021 | Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier. | |
| CVE-2021-33193 | Hig | 7.5 | >= 2.4.17, < 2.4.49 | 2.4.49 | Aug 16, 2021 | A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48. | |
| CVE-2021-31618 | Hig | 7.5 | >= 1.15.17, < 1.15.18 | 1.15.18 | Jun 15, 2021 | Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status | |
| CVE-2021-30641 | Med | 5.3 | >= 2.4.39, < 2.4.47 | 2.4.47 | Jun 10, 2021 | Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF' | |
| CVE-2021-26691 | Cri | 9.8 | >= 2.4.0, < 2.4.47 | 2.4.47 | Jun 10, 2021 | In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow | |
| CVE-2021-26690 | Hig | 7.5 | >= 2.4.0, < 2.4.47 | 2.4.47 | Jun 10, 2021 | Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service | |
| CVE-2020-35452 | Hig | 7.3 | >= 2.4.0, < 2.4.47 | 2.4.47 | Jun 10, 2021 | Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation | |
| CVE-2020-13950 | Hig | 7.5 | >= 2.4.41, < 2.4.47 | 2.4.47 | Jun 10, 2021 | Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service | |
| CVE-2020-13938 | Med | 5.5 | >= 2.4.0, < 2.4.47 | 2.4.47 | Jun 10, 2021 | Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows | |
| CVE-2020-9490 | Hig | 7.5 | >= 2.4.20, < 2.4.46 | 2.4.46 | Aug 7, 2020 | Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate thi | |
| CVE-2020-11993 | Hig | 7.5 | >= 2.4.20, < 2.4.44 | 2.4.44 | Aug 7, 2020 | Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" w | |
| CVE-2020-11985 | Med | 5.3 | >= 2.4.1, < 2.4.24 | 2.4.24 | Aug 7, 2020 | IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but | |
| CVE-2020-11984 | Cri | 9.8 | >= 2.4.32, < 2.4.44 | 2.4.44 | Aug 7, 2020 | Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE | |
| CVE-2020-1927 | Med | 6.1 | >= 2.4.0, < 2.4.42 | 2.4.42 | Apr 2, 2020 | In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. | |
| CVE-2020-1934 | Med | 5.3 | >= 2.4.0, < 2.4.42 | 2.4.42 | Apr 1, 2020 | In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. |
- affected < 2.4.49fixed 2.4.49
Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.
- affected >= 2.4.17, < 2.4.49fixed 2.4.49
A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
- affected >= 1.15.17, < 1.15.18fixed 1.15.18
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status
- affected >= 2.4.39, < 2.4.47fixed 2.4.47
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
- affected >= 2.4.0, < 2.4.47fixed 2.4.47
In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
- affected >= 2.4.0, < 2.4.47fixed 2.4.47
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service
- affected >= 2.4.0, < 2.4.47fixed 2.4.47
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation
- affected >= 2.4.41, < 2.4.47fixed 2.4.47
Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service
- affected >= 2.4.0, < 2.4.47fixed 2.4.47
Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows
- affected >= 2.4.20, < 2.4.46fixed 2.4.46
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate thi
- affected >= 2.4.20, < 2.4.44fixed 2.4.44
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" w
- affected >= 2.4.1, < 2.4.24fixed 2.4.24
IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but
- affected >= 2.4.32, < 2.4.44fixed 2.4.44
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
- affected >= 2.4.0, < 2.4.42fixed 2.4.42
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
- affected >= 2.4.0, < 2.4.42fixed 2.4.42
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.
Page 5 of 5