VYPR

HTTP Server

by Apache

Source repositories

CVEs (341)

  • CVE-2020-9490Aug 7, 2020
    risk 0.06cvss epss 0.90

    Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate…

  • CVE-2007-6388Jan 8, 2008
    risk 0.06cvss epss 0.76

    Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2007-6514Dec 21, 2007
    risk 0.06cvss epss 0.38

    Apache HTTP Server, when running on Linux with a document root on a Windows share mounted using smbfs, allows remote attackers to obtain unprocessed content such as source files for .php programs via a trailing "\" (backslash), which is not handled by the intended AddType…

  • CVE-2006-4110Aug 14, 2006
    risk 0.06cvss epss 0.37

    Apache 2.2.2, when running on Windows, allows remote attackers to read source code of CGI programs via a request that contains uppercase (or alternate case) characters that bypass the case-sensitive ScriptAlias directive, but allow access to the file on case-insensitive file…

  • CVE-1999-1412Jun 3, 1999
    risk 0.06cvss epss 0.35

    A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes.

  • CVE-1999-0678Jan 17, 1999
    risk 0.06cvss epss 0.31

    A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server.

  • CVE-2023-43622Oct 23, 2023
    risk 0.05cvss epss 0.71

    An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This…

  • CVE-2023-25690Mar 7, 2023
    risk 0.05cvss epss 0.84

    Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some…

  • CVE-2022-23943Mar 14, 2022
    risk 0.05cvss epss 0.50

    Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.

  • CVE-2021-26690Jun 10, 2021
    risk 0.05cvss epss 0.65

    Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service

  • CVE-2013-5704Apr 15, 2014
    risk 0.05cvss epss 0.60

    The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as…

  • CVE-2011-0419May 16, 2011
    risk 0.05cvss epss 0.30

    Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris…

  • CVE-2002-2029Dec 31, 2002
    risk 0.05cvss epss 0.25

    PHP, when installed on Windows with Apache and ScriptAlias for /php/ set to c:/php/, allows remote attackers to read arbitrary files and possibly execute arbitrary programs via an HTTP request for php.exe with a filename in the query string.

  • CVE-1999-0448Jan 1, 1999
    risk 0.05cvss epss 0.24

    IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.

  • CVE-1999-0107Dec 30, 1997
    risk 0.05cvss epss 0.20

    Buffer overflow in Apache 1.2.5 and earlier allows a remote attacker to cause a denial of service with a large number of GET requests containing a large number of / characters.

  • CVE-1999-0045Dec 10, 1996
    risk 0.05cvss epss 0.26

    List of arbitrary files on Web host via nph-test-cgi script.

  • CVE-2021-33193Aug 16, 2021
    risk 0.04cvss epss 0.46

    A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.

  • CVE-2021-26691Jun 10, 2021
    risk 0.04cvss epss 0.68

    In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow

  • CVE-2014-0231Jul 20, 2014
    risk 0.04cvss epss 0.44

    The mod_cgid module in the Apache HTTP Server before 2.4.10 does not have a timeout mechanism, which allows remote attackers to cause a denial of service (process hang) via a request to a CGI script that does not read from its stdin file descriptor.

  • CVE-2007-5000Dec 13, 2007
    risk 0.04cvss epss 0.47

    Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or…

Page 6 of 18