VYPR

rpm package

opensuse/apache2&distro=openSUSE Leap 15.2

pkg:rpm/opensuse/apache2&distro=openSUSE%20Leap%2015.2

Vulnerabilities (14)

  • CVE-2021-40438KEVSep 16, 2021
    affected < 2.4.43-lp152.2.21.1fixed 2.4.43-lp152.2.21.1

    A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

  • CVE-2021-39275Sep 16, 2021
    affected < 2.4.43-lp152.2.21.1fixed 2.4.43-lp152.2.21.1

    ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

  • CVE-2021-36160Sep 16, 2021
    affected < 2.4.43-lp152.2.21.1fixed 2.4.43-lp152.2.21.1

    A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

  • CVE-2021-34798Sep 16, 2021
    affected < 2.4.43-lp152.2.21.1fixed 2.4.43-lp152.2.21.1

    Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

  • CVE-2021-33193Aug 16, 2021
    affected < 2.4.43-lp152.2.18.1fixed 2.4.43-lp152.2.18.1

    A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

  • CVE-2021-31618Jun 15, 2021
    affected < 2.4.43-lp152.2.15.1fixed 2.4.43-lp152.2.15.1

    Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status

  • CVE-2021-30641Jun 10, 2021
    affected < 2.4.43-lp152.2.15.1fixed 2.4.43-lp152.2.15.1

    Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

  • CVE-2021-26691Jun 10, 2021
    affected < 2.4.43-lp152.2.15.1fixed 2.4.43-lp152.2.15.1

    In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow

  • CVE-2021-26690Jun 10, 2021
    affected < 2.4.43-lp152.2.15.1fixed 2.4.43-lp152.2.15.1

    Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service

  • CVE-2020-35452Jun 10, 2021
    affected < 2.4.43-lp152.2.15.1fixed 2.4.43-lp152.2.15.1

    Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation

  • CVE-2020-13950Jun 10, 2021
    affected < 2.4.43-lp152.2.15.1fixed 2.4.43-lp152.2.15.1

    Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service

  • CVE-2020-11993Aug 7, 2020
    affected < 2.4.43-lp152.2.3.1fixed 2.4.43-lp152.2.3.1

    Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" w

  • CVE-2020-11984Aug 7, 2020
    affected < 2.4.43-lp152.2.3.1fixed 2.4.43-lp152.2.3.1

    Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

  • CVE-2020-9490Aug 7, 2020
    affected < 2.4.43-lp152.2.3.1fixed 2.4.43-lp152.2.3.1

    Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate thi