CVE-2024-36387 — NULL Pointer Dereference in Software Foundation Apache Http Server

CWE-476 — NULL Pointer Dereference10 documents8 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 59.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Http Server Apache Http Server Netapp Ontap

Timeline

PublishedJul 1

Latest updateJul 11

Description

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶NVDapache/http_server2.4.55 — 2.4.59

▶CVEListV5apache_software_foundation/apache_http_server2.4.55 — 2.4.59

Also affects: Ontap 9

🔴Vulnerability Details

OSV

apache2 regression↗2024-07-11

▶

OSV

apache2 vulnerabilities↗2024-07-08

▶

GHSA

GHSA-463r-p989-2f9j: Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, deg↗2024-07-01

▶

OSV

CVE-2024-36387: Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, deg↗2024-07-01

▶

CVEList

Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2↗2024-07-01

▶

📋Vendor Advisories

Microsoft

Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2↗2024-07-09

▶

Ubuntu

Apache HTTP Server vulnerabilities↗2024-07-08

▶

Red Hat

mod_http2: DoS by null pointer in websocket over HTTP/2↗2024-07-01

▶

Debian

CVE-2024-36387: apache2 - Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a N...↗2024

▶