rpm package
suse/apache2&distro=SUSE Linux Enterprise Server for SAP Applications 12 SP3
pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3
Vulnerabilities (49)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-1301 | Med | 5.9 | < 2.4.23-29.18.2 | 2.4.23-29.18.2 | Mar 26, 2018 | A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both l | |
| CVE-2018-1283 | Med | 5.3 | < 2.4.23-29.18.2 | 2.4.23-29.18.2 | Mar 26, 2018 | In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_se | |
| CVE-2017-15715 | Hig | 8.1 | < 2.4.23-29.18.2 | 2.4.23-29.18.2 | Mar 26, 2018 | In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally bloc | |
| CVE-2017-15710 | Hig | 7.5 | < 2.4.23-29.18.2 | 2.4.23-29.18.2 | Mar 26, 2018 | In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present | |
| CVE-2017-9798 | Hig | 7.5 | < 2.4.23-29.6.1 | 2.4.23-29.6.1 | Sep 18, 2017 | Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27 | |
| CVE-2016-8743 | Hig | 7.5 | < 2.4.23-29.24.1 | 2.4.23-29.24.1 | Jul 27, 2017 | Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or inter | |
| CVE-2017-7659 | Hig | 7.5 | < 2.4.23-29.13.1 | 2.4.23-29.13.1 | Jul 26, 2017 | A maliciously constructed HTTP/2 request could cause mod_http2 in Apache HTTP Server 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process. | |
| CVE-2017-9789 | Hig | 7.5 | < 2.4.23-29.13.1 | 2.4.23-29.13.1 | Jul 13, 2017 | When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behaviour. | |
| CVE-2017-9788 | Cri | 9.1 | < 2.4.23-29.3.2 | 2.4.23-29.3.2 | Jul 13, 2017 | In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could |
- affected < 2.4.23-29.18.2fixed 2.4.23-29.18.2
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both l
- affected < 2.4.23-29.18.2fixed 2.4.23-29.18.2
In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_se
- affected < 2.4.23-29.18.2fixed 2.4.23-29.18.2
In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally bloc
- affected < 2.4.23-29.18.2fixed 2.4.23-29.18.2
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present
- affected < 2.4.23-29.6.1fixed 2.4.23-29.6.1
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27
- affected < 2.4.23-29.24.1fixed 2.4.23-29.24.1
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or inter
- affected < 2.4.23-29.13.1fixed 2.4.23-29.13.1
A maliciously constructed HTTP/2 request could cause mod_http2 in Apache HTTP Server 2.4.24, 2.4.25 to dereference a NULL pointer and crash the server process.
- affected < 2.4.23-29.13.1fixed 2.4.23-29.13.1
When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.
- affected < 2.4.23-29.3.2fixed 2.4.23-29.3.2
In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could
Page 3 of 3