VYPR

HTTP Server

by Apache

Source repositories

CVEs (341)

  • CVE-2021-34798Sep 16, 2021
    risk 0.01cvss epss 0.65

    Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

  • CVE-2021-31618Jun 15, 2021
    risk 0.01cvss epss 0.51

    Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a…

  • CVE-2020-35452Jun 10, 2021
    risk 0.01cvss epss 0.53

    Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation…

  • CVE-2020-13950Jun 10, 2021
    risk 0.01cvss epss 0.49

    Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service

  • CVE-2019-17567Jun 10, 2021
    risk 0.01cvss epss 0.60

    Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP…

  • CVE-2020-11985Aug 7, 2020
    risk 0.01cvss epss 0.06

    IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24…

  • CVE-2019-0196Jun 11, 2019
    risk 0.01cvss epss 0.19

    A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly.

  • CVE-2018-17189Jan 30, 2019
    risk 0.01cvss epss 0.19

    In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.

  • CVE-2018-17199Jan 30, 2019
    risk 0.01cvss epss 0.20

    In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

  • CVE-2014-3583Dec 15, 2014
    risk 0.01cvss epss 0.11

    The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers.

  • CVE-2014-3581Oct 10, 2014
    risk 0.01cvss epss 0.13

    The cache_merge_headers_out function in modules/cache/cache_util.c in the mod_cache module in the Apache HTTP Server before 2.4.11 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty HTTP Content-Type header.

  • CVE-2014-3523Jul 20, 2014
    risk 0.01cvss epss 0.16

    Memory leak in the winnt_accept function in server/mpm/winnt/child.c in the WinNT MPM in the Apache HTTP Server 2.4.x before 2.4.10 on Windows, when the default AcceptFilter is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted…

  • CVE-2013-4352Jul 20, 2014
    risk 0.01cvss epss 0.12

    The cache_invalidate function in modules/cache/cache_storage.c in the mod_cache module in the Apache HTTP Server 2.4.6, when a caching forward proxy is enabled, allows remote HTTP servers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that…

  • CVE-2013-2249Jul 23, 2013
    risk 0.01cvss epss 0.14

    mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.

  • CVE-2012-4557Nov 30, 2012
    risk 0.01cvss epss 0.17

    The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive request.

  • CVE-2012-3502Aug 22, 2012
    risk 0.01cvss epss 0.10

    The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp module and (2) mod_proxy_http.c in the mod_proxy_http module in the Apache HTTP Server 2.4.x before 2.4.3 does not properly determine the situations that require closing a back-end connection, which allows…

  • CVE-2011-1783Jun 6, 2011
    risk 0.01cvss epss 0.07

    The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is enabled, allows remote attackers to cause a denial of service (infinite loop and memory consumption) in…

  • CVE-2011-1928May 24, 2011
    risk 0.01cvss epss 0.10

    The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns,…

  • CVE-2010-2791Aug 5, 2010
    risk 0.01cvss epss 0.08

    mod_proxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different…

  • CVE-2010-2068Jun 18, 2010
    risk 0.01cvss epss 0.16

    mod_proxy_http.c in mod_proxy_http in the Apache HTTP Server 2.2.9 through 2.2.15, 2.3.4-alpha, and 2.3.5-alpha on Windows, NetWare, and OS/2, in certain configurations involving proxy worker pools, does not properly detect timeouts, which allows remote attackers to obtain a…

Page 10 of 18