rpm package
suse/apache2&distro=SUSE Linux Enterprise Module for Server Applications 15 SP1
pkg:rpm/suse/apache2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-11993 | — | < 2.4.33-3.33.1 | 2.4.33-3.33.1 | Aug 7, 2020 | Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" w | ||
| CVE-2020-11984 | — | < 2.4.33-3.33.1 | 2.4.33-3.33.1 | Aug 7, 2020 | Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE | ||
| CVE-2020-9490 | — | < 2.4.33-3.33.1 | 2.4.33-3.33.1 | Aug 7, 2020 | Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate thi | ||
| CVE-2020-1927 | — | < 2.4.33-3.30.1 | 2.4.33-3.30.1 | Apr 1, 2020 | In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. | ||
| CVE-2020-1934 | — | < 2.4.33-3.30.1 | 2.4.33-3.30.1 | Apr 1, 2020 | In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. | ||
| CVE-2020-1938 | — | KEV | < 2.4.33-3.30.1 | 2.4.33-3.30.1 | Feb 24, 2020 | When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exp | |
| CVE-2019-10082 | — | < 2.4.33-3.21.1 | 2.4.33-3.21.1 | Sep 26, 2019 | In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. | ||
| CVE-2019-10097 | — | < 2.4.33-3.21.1 | 2.4.33-3.21.1 | Sep 26, 2019 | In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggere | ||
| CVE-2019-10092 | — | < 2.4.33-3.21.1 | 2.4.33-3.21.1 | Sep 26, 2019 | In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server | ||
| CVE-2019-10098 | — | < 2.4.33-3.21.1 | 2.4.33-3.21.1 | Sep 25, 2019 | In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. | ||
| CVE-2019-10081 | — | < 2.4.33-3.21.1 | 2.4.33-3.21.1 | Aug 15, 2019 | HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the cl | ||
| CVE-2019-9517 | — | < 2.4.33-3.21.1 | 2.4.33-3.21.1 | Aug 13, 2019 | Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually writ |
- CVE-2020-11993Aug 7, 2020affected < 2.4.33-3.33.1fixed 2.4.33-3.33.1
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" w
- CVE-2020-11984Aug 7, 2020affected < 2.4.33-3.33.1fixed 2.4.33-3.33.1
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
- CVE-2020-9490Aug 7, 2020affected < 2.4.33-3.33.1fixed 2.4.33-3.33.1
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate thi
- CVE-2020-1927Apr 1, 2020affected < 2.4.33-3.30.1fixed 2.4.33-3.30.1
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
- CVE-2020-1934Apr 1, 2020affected < 2.4.33-3.30.1fixed 2.4.33-3.30.1
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.
- affected < 2.4.33-3.30.1fixed 2.4.33-3.30.1
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exp
- CVE-2019-10082Sep 26, 2019affected < 2.4.33-3.21.1fixed 2.4.33-3.21.1
In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.
- CVE-2019-10097Sep 26, 2019affected < 2.4.33-3.21.1fixed 2.4.33-3.21.1
In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggere
- CVE-2019-10092Sep 26, 2019affected < 2.4.33-3.21.1fixed 2.4.33-3.21.1
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server
- CVE-2019-10098Sep 25, 2019affected < 2.4.33-3.21.1fixed 2.4.33-3.21.1
In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.
- CVE-2019-10081Aug 15, 2019affected < 2.4.33-3.21.1fixed 2.4.33-3.21.1
HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the cl
- CVE-2019-9517Aug 13, 2019affected < 2.4.33-3.21.1fixed 2.4.33-3.21.1
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually writ