rpm package
suse/apache2&distro=SUSE Linux Enterprise Server for SAP Applications 15
pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015
Vulnerabilities (30)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-26691 | Cri | 9.8 | < 2.4.33-3.50.1 | 2.4.33-3.50.1 | Jun 10, 2021 | In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow | |
| CVE-2021-26690 | Hig | 7.5 | < 2.4.33-3.50.1 | 2.4.33-3.50.1 | Jun 10, 2021 | Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service | |
| CVE-2020-35452 | Hig | 7.3 | < 2.4.33-3.50.1 | 2.4.33-3.50.1 | Jun 10, 2021 | Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation | |
| CVE-2020-9490 | Hig | 7.5 | < 2.4.33-3.33.1 | 2.4.33-3.33.1 | Aug 7, 2020 | Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate thi | |
| CVE-2020-11993 | Hig | 7.5 | < 2.4.33-3.33.1 | 2.4.33-3.33.1 | Aug 7, 2020 | Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" w | |
| CVE-2020-11984 | Cri | 9.8 | < 2.4.33-3.33.1 | 2.4.33-3.33.1 | Aug 7, 2020 | Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE | |
| CVE-2020-1927 | Med | 6.1 | < 2.4.33-3.30.1 | 2.4.33-3.30.1 | Apr 2, 2020 | In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. | |
| CVE-2020-1934 | Med | 5.3 | < 2.4.33-3.30.1 | 2.4.33-3.30.1 | Apr 1, 2020 | In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. | |
| CVE-2020-1938 | Cri | 9.8 | KEV | < 2.4.33-3.30.1 | 2.4.33-3.30.1 | Feb 24, 2020 | When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exp |
| CVE-2019-10092 | Med | 6.1 | < 2.4.33-3.50.1 | 2.4.33-3.50.1 | Sep 26, 2019 | In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server |
- affected < 2.4.33-3.50.1fixed 2.4.33-3.50.1
In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow
- affected < 2.4.33-3.50.1fixed 2.4.33-3.50.1
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service
- affected < 2.4.33-3.50.1fixed 2.4.33-3.50.1
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation
- affected < 2.4.33-3.33.1fixed 2.4.33-3.33.1
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate thi
- affected < 2.4.33-3.33.1fixed 2.4.33-3.33.1
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" w
- affected < 2.4.33-3.33.1fixed 2.4.33-3.33.1
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
- affected < 2.4.33-3.30.1fixed 2.4.33-3.30.1
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
- affected < 2.4.33-3.30.1fixed 2.4.33-3.30.1
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.
- affected < 2.4.33-3.30.1fixed 2.4.33-3.30.1
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exp
- affected < 2.4.33-3.50.1fixed 2.4.33-3.50.1
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server
Page 2 of 2