rpm package
suse/apache2&distro=SUSE Linux Enterprise Server for SAP Applications 12 SP4
pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4
Vulnerabilities (44)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-0217 | — | < 2.4.23-29.40.1 | 2.4.23-29.40.1 | Apr 8, 2019 | In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. | ||
| CVE-2018-17199 | — | < 2.4.23-29.34.4 | 2.4.23-29.34.4 | Jan 30, 2019 | In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. | ||
| CVE-2018-17189 | — | < 2.4.23-29.34.4 | 2.4.23-29.34.4 | Jan 30, 2019 | In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections. | ||
| CVE-2018-11763 | Med | 5.9 | < 2.4.23-29.27.2 | 2.4.23-29.27.2 | Sep 25, 2018 | In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 p |
- CVE-2019-0217Apr 8, 2019affected < 2.4.23-29.40.1fixed 2.4.23-29.40.1
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
- CVE-2018-17199Jan 30, 2019affected < 2.4.23-29.34.4fixed 2.4.23-29.34.4
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
- CVE-2018-17189Jan 30, 2019affected < 2.4.23-29.34.4fixed 2.4.23-29.34.4
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
- affected < 2.4.23-29.27.2fixed 2.4.23-29.27.2
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 p
Page 3 of 3