HTTP Server
by Apache
Source repositories
CVEs (341)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2004-0173 | 0.04 | — | 0.16 | Apr 15, 2004 | Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences. | |||
| CVE-2002-2272 | 0.04 | — | 0.10 | Dec 31, 2002 | Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values. | |||
| CVE-2001-0042 | 0.04 | — | 0.09 | Feb 16, 2001 | PHP 3.x (PHP3) on Apache 1.3.6 allows remote attackers to read arbitrary files via a modified .. (dot dot) attack containing "%5c" (encoded backslash) sequences. | |||
| CVE-2000-1016 | 0.04 | — | 0.08 | Dec 11, 2000 | The default configuration of Apache (httpd.conf) on SuSE 6.4 includes an alias for the /usr/doc directory, which allows remote attackers to read package documentation and obtain system configuration information via an HTTP request for the /doc/packages URL. | |||
| CVE-2000-0868 | 0.04 | — | 0.45 | Nov 14, 2000 | The default configuration of Apache 1.3.12 in SuSE Linux 6.4 allows remote attackers to read source code for CGI scripts by replacing the /cgi-bin/ in the requested URL with /cgi-bin-sdb/. | |||
| CVE-1999-0926 | 0.04 | — | 0.09 | Sep 3, 1999 | Apache allows remote attackers to conduct a denial of service via a large number of MIME headers. | |||
| CVE-2014-5329 | 0.03 | — | 0.02 | Sep 8, 2023 | GIGAPOD file servers (Appliance model and Software model) provide two web interfaces, 80/tcp and 443/tcp for user operation, and 8001/tcp for administrative operation. 8001/tcp is served by a version of Apache HTTP server containing a flaw in handling HTTP requests… | |||
| CVE-2022-26377 | 0.03 | — | 0.19 | Jun 8, 2022 | Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version… | |||
| CVE-2021-39275 | 0.03 | — | 0.36 | Sep 16, 2021 | ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. | |||
| CVE-2021-30641 | 0.03 | — | 0.52 | Jun 10, 2021 | Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF' | |||
| CVE-2019-10082 | 0.03 | — | 0.17 | Sep 26, 2019 | In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. | |||
| CVE-2019-10081 | 0.03 | — | 0.15 | Aug 15, 2019 | HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the… | |||
| CVE-2019-0217 | 0.03 | — | 0.18 | Apr 8, 2019 | In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. | |||
| CVE-2014-0118 | 0.03 | — | 0.37 | Jul 20, 2014 | The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses… | |||
| CVE-2014-0117 | 0.03 | — | 0.36 | Jul 20, 2014 | The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header. | |||
| CVE-2012-0031 | 0.03 | — | 0.03 | Jan 18, 2012 | scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an… | |||
| CVE-2011-4415 | 0.03 | — | 0.03 | Nov 8, 2011 | The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory… | |||
| CVE-2011-3607 | 0.03 | — | 0.05 | Nov 8, 2011 | Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in… | |||
| CVE-2010-0010 | 0.03 | — | 0.43 | Feb 2, 2010 | Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size… | |||
| CVE-2008-2939 | 0.03 | — | 0.39 | Aug 6, 2008 | Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a… |
- CVE-2004-0173Apr 15, 2004risk 0.04cvss —epss 0.16
Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences.
- CVE-2002-2272Dec 31, 2002risk 0.04cvss —epss 0.10
Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values.
- CVE-2001-0042Feb 16, 2001risk 0.04cvss —epss 0.09
PHP 3.x (PHP3) on Apache 1.3.6 allows remote attackers to read arbitrary files via a modified .. (dot dot) attack containing "%5c" (encoded backslash) sequences.
- CVE-2000-1016Dec 11, 2000risk 0.04cvss —epss 0.08
The default configuration of Apache (httpd.conf) on SuSE 6.4 includes an alias for the /usr/doc directory, which allows remote attackers to read package documentation and obtain system configuration information via an HTTP request for the /doc/packages URL.
- CVE-2000-0868Nov 14, 2000risk 0.04cvss —epss 0.45
The default configuration of Apache 1.3.12 in SuSE Linux 6.4 allows remote attackers to read source code for CGI scripts by replacing the /cgi-bin/ in the requested URL with /cgi-bin-sdb/.
- CVE-1999-0926Sep 3, 1999risk 0.04cvss —epss 0.09
Apache allows remote attackers to conduct a denial of service via a large number of MIME headers.
- CVE-2014-5329Sep 8, 2023risk 0.03cvss —epss 0.02
GIGAPOD file servers (Appliance model and Software model) provide two web interfaces, 80/tcp and 443/tcp for user operation, and 8001/tcp for administrative operation. 8001/tcp is served by a version of Apache HTTP server containing a flaw in handling HTTP requests…
- CVE-2022-26377Jun 8, 2022risk 0.03cvss —epss 0.19
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version…
- CVE-2021-39275Sep 16, 2021risk 0.03cvss —epss 0.36
ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.
- CVE-2021-30641Jun 10, 2021risk 0.03cvss —epss 0.52
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
- CVE-2019-10082Sep 26, 2019risk 0.03cvss —epss 0.17
In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.
- CVE-2019-10081Aug 15, 2019risk 0.03cvss —epss 0.15
HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the…
- CVE-2019-0217Apr 8, 2019risk 0.03cvss —epss 0.18
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
- CVE-2014-0118Jul 20, 2014risk 0.03cvss —epss 0.37
The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses…
- CVE-2014-0117Jul 20, 2014risk 0.03cvss —epss 0.36
The mod_proxy module in the Apache HTTP Server 2.4.x before 2.4.10, when a reverse proxy is enabled, allows remote attackers to cause a denial of service (child-process crash) via a crafted HTTP Connection header.
- CVE-2012-0031Jan 18, 2012risk 0.03cvss —epss 0.03
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an…
- CVE-2011-4415Nov 8, 2011risk 0.03cvss —epss 0.03
The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory…
- CVE-2011-3607Nov 8, 2011risk 0.03cvss —epss 0.05
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in…
- CVE-2010-0010Feb 2, 2010risk 0.03cvss —epss 0.43
Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size…
- CVE-2008-2939Aug 6, 2008risk 0.03cvss —epss 0.39
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a…
Page 7 of 18