VYPR

Vendor CVEs

Apache

All CVEs

2,552 total · sorted by risk
  • CVE-2005-2728Aug 30, 2005
    risk 0.01cvss epss 0.11

    The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.

  • CVE-2005-1268Aug 5, 2005
    risk 0.01cvss epss 0.08

    Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.

  • CVE-2005-1266Jun 15, 2005
    risk 0.01cvss epss 0.08

    Apache SpamAssassin 3.0.1, 3.0.2, and 3.0.3 allows remote attackers to cause a denial of service (CPU consumption and slowdown) via a message with a long Content-Type header without any boundaries.

  • CVE-2005-0088May 2, 2005
    risk 0.01cvss epss 0.06

    The publisher handler for mod_python 2.7.8 and earlier allows remote attackers to obtain access to restricted objects via a crafted URL.

  • CVE-2004-0811Dec 31, 2004
    risk 0.01cvss epss 0.07

    Unknown vulnerability in Apache 2.0.51 prevents "the merging of the Satisfy directive," which could allow attackers to obtain access to restricted resources contrary to the specified authentication configuration.

  • CVE-2004-0885Nov 3, 2004
    risk 0.01cvss epss 0.14

    The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the "SSLCipherSuite" directive in directory or location context, allows remote clients to bypass intended restrictions by using any cipher suite that is allowed by the virtual host configuration.

  • CVE-2004-0809Sep 16, 2004
    risk 0.01cvss epss 0.15

    The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access.

  • CVE-2003-0993Mar 29, 2004
    risk 0.01cvss epss 0.10

    mod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions.

  • CVE-2004-0113Mar 29, 2004
    risk 0.01cvss epss 0.10

    Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server.

  • CVE-2004-1082Feb 3, 2004
    risk 0.01cvss epss 0.08

    mod_digest_apple for Apache 1.3.31 and 1.3.32 on Mac OS X Server does not properly verify the nonce of a client response, which allows remote attackers to replay credentials.

  • CVE-2003-0542Nov 3, 2003
    risk 0.01cvss epss 0.13

    Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures.

  • CVE-2003-0460Aug 27, 2003
    risk 0.01cvss epss 0.13

    The rotatelogs program on Apache before 1.3.28, for Windows and OS/2 systems, does not properly ignore certain control characters that are received over the pipe, which could allow remote attackers to cause a denial of service.

  • CVE-2003-0254Aug 18, 2003
    risk 0.01cvss epss 0.09

    Apache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket.

  • CVE-2003-0253Aug 18, 2003
    risk 0.01cvss epss 0.09

    The prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service.

  • CVE-2003-0189Jun 9, 2003
    risk 0.01cvss epss 0.15

    The authentication module for Apache 2.0.40 through 2.0.45 on Unix does not properly handle threads safely when using the crypt_r or crypt functions, which allows remote attackers to cause a denial of service (failed Basic authentication with valid usernames and passwords) when…

  • CVE-2003-0083Apr 2, 2003
    risk 0.01cvss epss 0.17

    Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a…

  • CVE-2003-0020Mar 18, 2003
    risk 0.01cvss epss 0.11

    Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.

  • CVE-2003-0044Feb 7, 2003
    risk 0.01cvss epss 0.09

    Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.

  • CVE-2003-0016Feb 7, 2003
    risk 0.01cvss epss 0.16

    Apache before 2.0.44, when running on unpatched Windows 9x and Me operating systems, allows remote attackers to cause a denial of service or execute arbitrary code via an HTTP request containing MS-DOS device names.

  • CVE-2002-2009Dec 31, 2002
    risk 0.01cvss epss 0.07

    Apache Tomcat 4.0.1 allows remote attackers to obtain the web root path via HTTP requests for JSP files preceded by (1) +/, (2) >/, (3) </, and (4) %20/, which leaks the pathname in an error message.

  • CVE-2002-2008Dec 31, 2002
    risk 0.01cvss epss 0.07

    Apache Tomcat 4.0.3 for Windows allows remote attackers to obtain the web root path via an HTTP request for a resource that does not exist, such as lpt9, which leaks the information in an error message.

  • CVE-2002-1157Nov 4, 2002
    risk 0.01cvss epss 0.10

    Cross-site scripting vulnerability in the mod_ssl Apache module 2.8.9 and earlier, when UseCanonicalName is off and wildcard DNS is enabled, allows remote attackers to execute script as other web site visitors, via the server name in an HTTPS response on the SSL port, which is…

  • CVE-2002-1156Oct 11, 2002
    risk 0.01cvss epss 0.13

    Apache 2.0.42 allows remote attackers to view the source code of a CGI script via a POST request to a directory with both WebDAV and CGI enabled.

  • CVE-2002-0935Oct 4, 2002
    risk 0.01cvss epss 0.08

    Apache Tomcat 4.0.3, and possibly other versions before 4.1.3 beta, allows remote attackers to cause a denial of service (resource exhaustion) via a large number of requests to the server with null characters, which causes the working threads to hang.

  • CVE-2002-1593Sep 25, 2002
    risk 0.01cvss epss 0.07

    mod_dav in Apache before 2.0.42 does not properly handle versioning hooks, which may allow remote attackers to kill a child process via a null dereference and cause a denial of service (CPU consumption) in a preforked multi-processing module.

  • CVE-2002-0249May 29, 2002
    risk 0.01cvss epss 0.08

    PHP for Windows, when installed on Apache 2.0.28 beta as a standalone CGI module, allows remote attackers to obtain the physical path of the php.exe via a request with malformed arguments such as /123, which leaks the pathname in the error message.

  • CVE-2002-0240May 29, 2002
    risk 0.01cvss epss 0.08

    PHP, when installed with Apache and configured to search for index.php as a default web page, allows remote attackers to obtain the full pathname of the server via the HTTP OPTIONS method, which reveals the pathname in the resulting error message.

  • CVE-2002-1592May 6, 2002
    risk 0.01cvss epss 0.12

    The ap_log_rerror function in Apache 2.0 through 2.035, when a CGI application encounters an error, sends error messages to the client that include the full path for the server, which allows remote attackers to obtain sensitive information.

  • CVE-2001-0829Dec 6, 2001
    risk 0.01cvss epss 0.14

    A cross-site scripting vulnerability in Apache Tomcat 3.2.1 allows a malicious webmaster to embed Javascript in a request for a .JSP file, which causes the Javascript to be inserted into an error message.

  • CVE-2001-1449Nov 28, 2001
    risk 0.01cvss epss 0.08

    The default installation of Apache before 1.3.19 on Mandrake Linux 7.1 through 8.0 and Linux Corporate Server 1.0.1 allows remote attackers to list the directory index of arbitrary web directories.

  • CVE-2001-0917Nov 22, 2001
    risk 0.01cvss epss 0.08

    Jakarta Tomcat 4.0.1 allows remote attackers to reveal physical path information by requesting a long URL with a .JSP extension.

  • CVE-2001-0729Oct 30, 2001
    risk 0.01cvss epss 0.07

    Apache 1.3.20 on Windows servers allows remote attackers to bypass the default index page and list directory contents via a URL with a large number of / (slash) characters.

  • CVE-2001-0730Oct 30, 2001
    risk 0.01cvss epss 0.12

    split-logfile in Apache 1.3.20 allows remote attackers to overwrite arbitrary files that end in the .log extension via an HTTP request with a / (slash) in the Host: header.

  • CVE-2001-1342May 12, 2001
    risk 0.01cvss epss 0.12

    Apache before 1.3.20 on Windows and OS/2 systems allows remote attackers to cause a denial of service (GPF) via an HTTP request for a URI that contains a large number of / (slash) or other characters, which causes certain functions to dereference a null pointer.

  • CVE-2000-1204Oct 13, 2000
    risk 0.01cvss epss 0.11

    Vulnerability in the mod_vhost_alias virtual hosting module for Apache 1.3.9, 1.3.11 and 1.3.12 allows remote attackers to obtain the source code for CGI programs if the cgi-bin directory is under the document root.

  • CVE-2000-0672Jul 20, 2000
    risk 0.01cvss epss 0.10

    The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory.

  • CVE-1999-1237Jun 6, 1999
    risk 0.01cvss epss 0.08

    Multiple buffer overflows in smbvalid/smbval SMB authentication library, as used in Apache::AuthenSmb and possibly other modules, allows remote attackers to execute arbitrary commands via (1) a long username, (2) a long password, and (3) other unspecified methods.

  • CVE-2026-52760Jul 2, 2026
    risk 0.00cvss epss

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web Console. The browse page in the web console renders a message Id directly without sanitization. This allows an authenticated producer to…

  • CVE-2026-49877Jul 2, 2026
    risk 0.00cvss epss

    Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ:…

  • CVE-2026-55957Jun 30, 2026
    risk 0.00cvss epss 0.00

    Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4,…

  • CVE-2026-55956Jun 30, 2026
    risk 0.00cvss epss 0.00

    Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1…

  • CVE-2026-56130Jun 28, 2026
    risk 0.00cvss epss 0.00

    "Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and…

  • CVE-2026-56091Jun 28, 2026
    risk 0.00cvss epss 0.00

    When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://www.cve.org/CVERecord?id=CVE-2020-1957 https://www.cve.org/CVERecord , except that it…

  • CVE-2025-62198Jun 22, 2026
    risk 0.00cvss epss 0.00

    An authenticated user can perform XSS. This issue affects Apache Atlas versions 2.4.0 and earlier. Users are recommended to upgrade to version 2.5.0, which fixes the issue.

  • CVE-2026-44914Jun 22, 2026
    risk 0.00cvss epss 0.00

    Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework…

  • CVE-2026-44911Jun 22, 2026
    risk 0.00cvss epss 0.00

    Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed properties override current configuration, enabling users with read access to…

  • CVE-2026-44913Jun 22, 2026
    risk 0.00cvss epss 0.00

    Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection…

  • CVE-2026-54665Jun 22, 2026
    risk 0.00cvss epss 0.00

    Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict…

  • CVE-2025-66336Jun 22, 2026
    risk 0.00cvss epss 0.00

    Apache Doris MCP Server contains a SQL injection vulnerability in a metadata query path. A user-controlled database name is directly interpolated into a SQL query, and the query is executed without passing the caller's authorization context. This may allow an authenticated…

  • CVE-2026-49872Jun 19, 2026
    risk 0.00cvss epss 0.00

    Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to…

Page 25 of 52