Vulnerabilities (CVE)

Filtered by vendor Apache Subscribe
Filtered by product Http Server
Total 286 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-12171 2 Apache, Redhat 5 Http Server, Enterprise Linux, Enterprise Linux Desktop and 2 more 2023-02-02 6.4 MEDIUM 6.5 MEDIUM
A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd, causing comments in the "Allow" and "Deny" configuration lines to be parsed incorrectly. A web administrator could unintentionally allow any client to access a restricted HTTP resource.
CVE-2016-8612 3 Apache, Netapp, Redhat 3 Http Server, Storage Automation Store, Enterprise Linux 2023-02-02 3.3 LOW 4.3 MEDIUM
An error was found in protocol parsing logic of mod_cluster load balancer Apache HTTP Server modules. An attacker could use this flaw to cause a Segmentation Fault in the serving httpd process.
CVE-2008-2939 4 Apache, Apple, Canonical and 1 more 4 Http Server, Mac Os X, Ubuntu Linux and 1 more 2023-02-02 4.3 MEDIUM N/A
CVE-2008-2939 httpd: mod_proxy_ftp globbing XSS
CVE-2009-1890 5 Apache, Canonical, Debian and 2 more 9 Http Server, Ubuntu Linux, Debian Linux and 6 more 2023-02-02 7.1 HIGH N/A
CVE-2009-1890 httpd: mod_proxy reverse proxy DoS (infinite loop)
CVE-2009-0796 1 Apache 2 Http Server, Mod Perl 2023-02-02 2.6 LOW N/A
CVE-2009-0796 httpd mod_perl Apache::Status XSS flaw
CVE-2009-3555 8 Apache, Canonical, Debian and 5 more 8 Http Server, Ubuntu Linux, Debian Linux and 5 more 2023-02-02 5.8 MEDIUM N/A
CVE-2009-3555 TLS: MITM attacks via session renegotiation
CVE-2007-3847 3 Apache, Canonical, Fedoraproject 4 Http Server, Ubuntu Linux, Fedora and 1 more 2023-02-02 5.0 MEDIUM N/A
CVE-2007-3847 httpd: out of bounds read
CVE-2022-36760 1 Apache 1 Http Server 2023-01-30 N/A 9.0 CRITICAL
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
CVE-2022-37436 1 Apache 1 Http Server 2023-01-25 N/A 5.3 MEDIUM
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
CVE-2006-20001 1 Apache 1 Http Server 2023-01-25 N/A 7.5 HIGH
A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.
CVE-2006-3747 3 Apache, Canonical, Debian 3 Http Server, Ubuntu Linux, Debian Linux 2023-01-19 7.6 HIGH N/A
Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.
CVE-2019-9517 12 Apache, Apple, Canonical and 9 more 25 Http Server, Traffic Server, Mac Os X and 22 more 2023-01-19 7.8 HIGH 7.5 HIGH
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
CVE-2021-44790 7 Apache, Apple, Debian and 4 more 14 Http Server, Mac Os X, Macos and 11 more 2022-11-02 7.5 HIGH 9.8 CRITICAL
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
CVE-2022-22720 5 Apache, Apple, Debian and 2 more 8 Http Server, Mac Os X, Macos and 5 more 2022-11-02 7.5 HIGH 9.8 CRITICAL
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling
CVE-2022-22719 5 Apache, Apple, Debian and 2 more 7 Http Server, Mac Os X, Macos and 4 more 2022-11-02 5.0 MEDIUM 7.5 HIGH
A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.
CVE-2022-22721 5 Apache, Apple, Debian and 2 more 8 Http Server, Mac Os X, Macos and 5 more 2022-11-02 5.8 MEDIUM 9.1 CRITICAL
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
CVE-2021-44224 6 Apache, Apple, Debian and 3 more 12 Http Server, Mac Os X, Macos and 9 more 2022-11-02 6.4 MEDIUM 8.2 HIGH
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
CVE-2021-41773 4 Apache, Fedoraproject, Netapp and 1 more 4 Http Server, Fedora, Cloud Backup and 1 more 2022-10-28 4.3 MEDIUM 7.5 HIGH
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
CVE-2021-41524 4 Apache, Fedoraproject, Netapp and 1 more 4 Http Server, Fedora, Cloud Backup and 1 more 2022-10-28 5.0 MEDIUM 7.5 HIGH
While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.
CVE-2021-34798 8 Apache, Broadcom, Debian and 5 more 18 Http Server, Brocade Fabric Operating System Firmware, Debian Linux and 15 more 2022-10-28 5.0 MEDIUM 7.5 HIGH
Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.