HTTP Server
by Apache
Source repositories
CVEs (341)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-36160 | 0.00 | — | 0.63 | Sep 16, 2021 | A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). | |||
| CVE-2020-13938 | 0.00 | — | 0.12 | Jun 10, 2021 | Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows | |||
| CVE-2020-1927 | 0.00 | — | 0.57 | Apr 1, 2020 | In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. | |||
| CVE-2019-15600 | 0.00 | — | 0.03 | Dec 18, 2019 | A Path traversal exists in http_server which allows an attacker to read arbitrary system files. | |||
| CVE-2014-9699 | 0.00 | — | 0.01 | Jun 24, 2019 | The MakerBot Replicator 5G printer runs an Apache HTTP Server with directory indexing enabled. Apache logs, system logs, design files (i.e., a history of print files), and more are exposed to unauthenticated attackers through this HTTP server. | |||
| CVE-2019-0197 | 0.00 | — | 0.08 | Jun 11, 2019 | A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration… | |||
| CVE-2019-0215 | 0.00 | — | 0.11 | Apr 8, 2019 | In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions. | |||
| CVE-2015-3185 | 0.00 | — | 0.19 | Jul 20, 2015 | The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended… | |||
| CVE-2015-3183 | 0.00 | — | 0.73 | Jul 20, 2015 | The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid… | |||
| CVE-2015-0253 | 0.00 | — | 0.15 | Jul 20, 2015 | The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a… | |||
| CVE-2015-0228 | 0.00 | — | 0.19 | Mar 8, 2015 | The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade… | |||
| CVE-2014-8109 | 0.00 | — | 0.22 | Dec 29, 2014 | mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass… | |||
| CVE-2012-0883 | 0.00 | — | 0.01 | Apr 18, 2012 | envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl. | |||
| CVE-2010-1623 | 0.00 | — | 0.20 | Oct 4, 2010 | Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial… | |||
| CVE-2010-2327 | 0.00 | — | 0.01 | Jun 18, 2010 | mod_ibm_ssl in IBM HTTP Server 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11, as used in IBM WebSphere Application Server (WAS) on z/OS, does not properly handle a large HTTP request body in uploading over SSL, which might allow remote attackers to cause a… | |||
| CVE-2010-1151 | 0.00 | — | 0.04 | Apr 20, 2010 | Race condition in the mod_auth_shadow module for the Apache HTTP Server allows remote attackers to bypass authentication, and read and possibly modify data, via vectors related to improper interaction with an external helper application for validation of credentials. | |||
| CVE-2003-1581 | 0.00 | — | 0.03 | Feb 5, 2010 | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an… | |||
| CVE-2003-1580 | 0.00 | — | 0.04 | Feb 5, 2010 | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing… | |||
| CVE-2009-1956 | 0.00 | — | 0.12 | Jun 8, 2009 | Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input. | |||
| CVE-2009-0023 | 0.00 | — | 0.09 | Jun 8, 2009 | The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive… |
- CVE-2021-36160Sep 16, 2021risk 0.00cvss —epss 0.63
A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).
- CVE-2020-13938Jun 10, 2021risk 0.00cvss —epss 0.12
Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows
- CVE-2020-1927Apr 1, 2020risk 0.00cvss —epss 0.57
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
- CVE-2019-15600Dec 18, 2019risk 0.00cvss —epss 0.03
A Path traversal exists in http_server which allows an attacker to read arbitrary system files.
- CVE-2014-9699Jun 24, 2019risk 0.00cvss —epss 0.01
The MakerBot Replicator 5G printer runs an Apache HTTP Server with directory indexing enabled. Apache logs, system logs, design files (i.e., a history of print files), and more are exposed to unauthenticated attackers through this HTTP server.
- CVE-2019-0197Jun 11, 2019risk 0.00cvss —epss 0.08
A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration…
- CVE-2019-0215Apr 8, 2019risk 0.00cvss —epss 0.11
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.
- CVE-2015-3185Jul 20, 2015risk 0.00cvss —epss 0.19
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended…
- CVE-2015-3183Jul 20, 2015risk 0.00cvss —epss 0.73
The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid…
- CVE-2015-0253Jul 20, 2015risk 0.00cvss —epss 0.15
The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a…
- CVE-2015-0228Mar 8, 2015risk 0.00cvss —epss 0.19
The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade…
- CVE-2014-8109Dec 29, 2014risk 0.00cvss —epss 0.22
mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass…
- CVE-2012-0883Apr 18, 2012risk 0.00cvss —epss 0.01
envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl.
- CVE-2010-1623Oct 4, 2010risk 0.00cvss —epss 0.20
Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial…
- CVE-2010-2327Jun 18, 2010risk 0.00cvss —epss 0.01
mod_ibm_ssl in IBM HTTP Server 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11, as used in IBM WebSphere Application Server (WAS) on z/OS, does not properly handle a large HTTP request body in uploading over SSL, which might allow remote attackers to cause a…
- CVE-2010-1151Apr 20, 2010risk 0.00cvss —epss 0.04
Race condition in the mod_auth_shadow module for the Apache HTTP Server allows remote attackers to bypass authentication, and read and possibly modify data, via vectors related to improper interaction with an external helper application for validation of credentials.
- CVE-2003-1581Feb 5, 2010risk 0.00cvss —epss 0.03
The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an…
- CVE-2003-1580Feb 5, 2010risk 0.00cvss —epss 0.04
The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing…
- CVE-2009-1956Jun 8, 2009risk 0.00cvss —epss 0.12
Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.
- CVE-2009-0023Jun 8, 2009risk 0.00cvss —epss 0.09
The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive…
Page 15 of 18