VYPR

Httpd

by Apache

Source repositories

CVEs (28)

  • CVE-2018-1312CriMar 26, 2018
    risk 0.65cvss 9.8epss 0.16

    In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests…

  • CVE-2017-3169CriJun 20, 2017
    risk 0.65cvss 9.8epss 0.20

    In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.

  • CVE-2017-3167CriJun 20, 2017
    risk 0.65cvss 9.8epss 0.20

    In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

  • CVE-2017-9788CriJul 13, 2017
    risk 0.64cvss 9.1epss 0.57

    In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment…

  • CVE-2017-15715HigMar 26, 2018
    risk 0.60cvss 8.1epss 0.86

    In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally…

  • CVE-1999-0236HigJan 1, 1997
    risk 0.54cvss 7.5epss 0.26

    ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs.

  • CVE-2024-45416HigSep 16, 2024
    risk 0.53cvss 8.1epss 0.01

    The HTTPD binary in multiple ZTE routers has a local file inclusion vulnerability in session_init function. The session -LUA- files are stored in the directory /var/lua_session, the function iterates on all files in this directory and executes them using the function dofile…

  • CVE-2026-24072HigMay 4, 2026
    risk 0.50cvss 8.8epss 0.01

    An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

  • CVE-2017-15710HigMar 26, 2018
    risk 0.50cvss 7.5epss 0.18

    In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present…

  • CVE-2017-9789HigJul 13, 2017
    risk 0.50cvss 7.5epss 0.10

    When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.

  • CVE-2004-2096Dec 31, 2004
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Mephistoles httpd 0.6.0 final allows remote attackers to execute arbitrary script as other users by injecting arbitrary HTML or script into the URL.

  • CVE-2019-11356Jun 3, 2019
    risk 0.02cvss epss 0.08

    The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name.

  • CVE-2009-1891Jul 10, 2009
    risk 0.01cvss epss 0.17

    The mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until completion even after the associated network connection is closed, which allows remote attackers to cause a denial of service (CPU consumption).

  • CVE-2006-1681Apr 11, 2006
    risk 0.01cvss epss 0.07

    Cross-site scripting (XSS) vulnerability in Cherokee HTTPD 0.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a malformed request that generates an HTTP 400 error, which is not properly handled when the error message is generated.

  • CVE-2004-0811Dec 31, 2004
    risk 0.01cvss epss 0.07

    Unknown vulnerability in Apache 2.0.51 prevents "the merging of the Satisfy directive," which could allow attackers to obtain access to restricted resources contrary to the specified authentication configuration.

  • CVE-2004-0885Nov 3, 2004
    risk 0.01cvss epss 0.14

    The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the "SSLCipherSuite" directive in directory or location context, allows remote clients to bypass intended restrictions by using any cipher suite that is allowed by the virtual host configuration.

  • CVE-2004-0809Sep 16, 2004
    risk 0.01cvss epss 0.15

    The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access.

  • CVE-2003-0253Aug 18, 2003
    risk 0.01cvss epss 0.09

    The prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service.

  • CVE-2000-1204Oct 13, 2000
    risk 0.01cvss epss 0.11

    Vulnerability in the mod_vhost_alias virtual hosting module for Apache 1.3.9, 1.3.11 and 1.3.12 allows remote attackers to obtain the source code for CGI programs if the cgi-bin directory is under the document root.

  • CVE-2025-27452Jul 3, 2025
    risk 0.00cvss epss 0.00

    The configuration of the Apache httpd webserver which serves the MEAC300-FNADE4 web application, is partly insecure. There are modules activated that are not required for the operation of the FNADE4 web application. The functionality of the some modules pose a risk to the…

Page 1 of 2