VYPR

rpm package

opensuse/apache2&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/apache2&distro=openSUSE%20Tumbleweed

Vulnerabilities (136)

  • CVE-2021-41773KEVOct 5, 2021
    affected < 2.4.51-1.1fixed 2.4.51-1.1

    A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usu

  • CVE-2019-10082Sep 26, 2019
    affected < 2.4.49-1.1fixed 2.4.49-1.1

    In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.

  • CVE-2019-10097Sep 26, 2019
    affected < 2.4.49-1.1fixed 2.4.49-1.1

    In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggere

  • CVE-2019-10092Sep 26, 2019
    affected < 2.4.49-1.1fixed 2.4.49-1.1

    In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server

  • CVE-2019-10098Sep 25, 2019
    affected < 2.4.49-1.1fixed 2.4.49-1.1

    In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.

  • CVE-2019-10081Aug 15, 2019
    affected < 2.4.49-1.1fixed 2.4.49-1.1

    HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the cl

  • CVE-2019-9517Aug 13, 2019
    affected < 2.4.49-1.1fixed 2.4.49-1.1

    Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually writ

  • CVE-2017-9798HigSep 18, 2017
    affected < 2.4.49-1.1fixed 2.4.49-1.1

    Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27

  • CVE-2016-8740HigDec 5, 2016
    affected < 2.4.49-1.1fixed 2.4.49-1.1

    The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in a

  • CVE-2016-5387HigJul 19, 2016
    affected < 2.4.49-1.1fixed 2.4.49-1.1

    The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traff

  • CVE-2016-4979HigJul 6, 2016
    affected < 2.4.23-4.1fixed 2.4.23-4.1

    The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the abili

  • CVE-2015-0253Jul 20, 2015
    affected < 2.4.23-4.1fixed 2.4.23-4.1

    The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method

  • CVE-2015-4000LowMay 21, 2015
    affected < 2.4.23-4.1fixed 2.4.23-4.1

    The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by D

  • CVE-2015-0228Mar 8, 2015
    affected < 2.4.23-4.1fixed 2.4.23-4.1

    The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade functio

  • CVE-2014-8109Dec 29, 2014
    affected < 2.4.23-4.1fixed 2.4.23-4.1

    mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intend

  • CVE-2014-3583Dec 15, 2014
    affected < 2.4.23-4.1fixed 2.4.23-4.1

    The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers.

  • CVE-2014-3581Oct 10, 2014
    affected < 2.4.23-4.1fixed 2.4.23-4.1

    The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.

  • CVE-2014-3523Jul 20, 2014
    affected < 2.4.23-4.1fixed 2.4.23-4.1

    Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted requests

  • CVE-2014-0231Jul 20, 2014
    affected < 2.4.23-4.1fixed 2.4.23-4.1

    The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.

  • CVE-2014-0226Jul 20, 2014
    affected < 2.4.23-4.1fixed 2.4.23-4.1

    Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers im

Page 4 of 7