Apache Http Server vulnerabilities
310 known vulnerabilities affecting apache/http_server.
Total CVEs
310
CISA KEV
5
actively exploited
Public exploits
69
Exploited in wild
7
Severity breakdown
CRITICAL35HIGH100MEDIUM162LOW13
Vulnerabilities
Page 10 of 16
CVE-2009-1891HIGHCVSS 7.1≥ 2.0.35, < 2.0.64≥ 2.2.0, < 2.2.122009-07-10
CVE-2009-1891 [HIGH] CWE-400 CVE-2009-1891: The mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until completion ev
The mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until completion even after the associated network connection is closed, which allows remote attackers to cause a denial of service (CPU consumption).
nvd
CVE-2009-1890HIGHCVSS 7.1≥ 2.2.0, < 2.2.122009-07-05
CVE-2009-1890 [HIGH] CWE-400 CVE-2009-1890: The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server
The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.
nvd
CVE-2009-1955HIGHCVSS 7.5PoC≥ 2.2.0, < 2.2.122009-06-08
CVE-2009-1955 [HIGH] CWE-776 CVE-2009-1955: The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFI
nvd
CVE-2009-1956MEDIUMCVSS 6.4≥ 2.2.0, < 2.2.122009-06-08
CVE-2009-1956 [MEDIUM] CWE-189 CVE-2009-1956: Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian p
Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.
nvd
CVE-2009-0023MEDIUMCVSS 4.3≥ 2.2.0, < 2.2.122009-06-08
CVE-2009-0023 [MEDIUM] CWE-119 CVE-2009-0023: The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allo
The apr_strmatch_precompile function in strmatch/apr_strmatch.c in Apache APR-util before 1.3.5 allows remote attackers to cause a denial of service (daemon crash) via crafted input involving (1) a .htaccess file used with the Apache HTTP Server, (2) the SVNMasterURI directive in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2 mod
nvd
CVE-2009-1195MEDIUMCVSS 4.9v2.2.0v2.2.1+7 more2009-05-28
CVE-2009-1195 [MEDIUM] CWE-16 CVE-2009-1195: The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEX
The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file.
nvd
CVE-2009-1191MEDIUMCVSS 5.0v2.2.112009-04-23
CVE-2009-1191 [MEDIUM] CVE-2009-1191: mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers
mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request.
nvd
CVE-2008-2939MEDIUMCVSS 4.3≤ 2.0.63≥ 2.2.0, ≤ 2.2.92008-08-06
CVE-2008-2939 [MEDIUM] CWE-79 CVE-2008-2939: Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.
nvd
CVE-2008-2364MEDIUMCVSS 5.0≥ 2.0.35, < 2.0.64≥ 2.2.0, < 2.2.92008-06-13
CVE-2008-2364 [MEDIUM] CWE-770 CVE-2008-2364: The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apach
The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses.
nvd
CVE-2008-2168MEDIUMCVSS 4.3PoCv2.0v2.0.9+44 more2008-05-13
CVE-2008-2168 [MEDIUM] CWE-79 CVE-2008-2168: Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inje
Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page.
nvd
CVE-2008-0455MEDIUMCVSS 4.3PoC≥ 2.2.0, < 2.2.23≥ 2.4.1, < 2.4.32008-01-25
CVE-2008-0455 [MEDIUM] CWE-79 CVE-2008-0455: Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2
Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a
nvd
CVE-2008-0456LOWCVSS 2.6≥ 2.2.0, < 2.2.122008-01-25
CVE-2008-0456 [LOW] CWE-74 CVE-2008-0456: CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earli
CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line n
nvd
CVE-2007-6423HIGHCVSS 7.8v2.2.2v2.2.3+2 more2008-01-12
CVE-2007-6423 [HIGH] CWE-399 CVE-2007-6423: Unspecified vulnerability in mod_proxy_balancer for Apache HTTP Server 2.2.x before 2.2.7-dev, when
Unspecified vulnerability in mod_proxy_balancer for Apache HTTP Server 2.2.x before 2.2.7-dev, when running on Windows, allows remote attackers to trigger memory corruption via a long URL. NOTE: the vendor could not reproduce this issue
nvd
CVE-2007-6420MEDIUMCVSS 4.3v2.2.0v2.2.2+5 more2008-01-12
CVE-2007-6420 [MEDIUM] CWE-352 CVE-2007-6420: Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Ap
Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers to gain privileges via unspecified vectors.
nvd
CVE-2008-0005MEDIUMCVSS 4.3≥ 2.0.35, < 2.0.63≥ 2.2.0, < 2.2.82008-01-12
CVE-2008-0005 [MEDIUM] CWE-79 CVE-2008-0005: mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev
mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding.
nvd
CVE-2007-6388MEDIUMCVSS 4.3≥ 1.3.2, ≤ 1.3.39≥ 2.0.35, ≤ 2.0.61+1 more2008-01-08
CVE-2007-6388 [MEDIUM] CWE-79 CVE-2007-6388: Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6
Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2007-6422MEDIUMCVSS 4.0v2.2v2.2.1+4 more2008-01-08
CVE-2007-6422 [MEDIUM] CWE-399 CVE-2007-6422: The balancer_handler function in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6, w
The balancer_handler function in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6, when a threaded Multi-Processing Module is used, allows remote authenticated users to cause a denial of service (child process crash) via an invalid bb variable.
nvd
CVE-2007-6421LOWCVSS 3.5v2.2v2.2.1+4 more2008-01-08
CVE-2007-6421 [LOW] CWE-79 CVE-2007-6421: Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTT
Cross-site scripting (XSS) vulnerability in balancer-manager in mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) ss, (2) wr, or (3) rr parameters, or (4) the URL.
nvd
CVE-2007-6514MEDIUMCVSS 4.3PoCv2.2.62007-12-21
CVE-2007-6514 [MEDIUM] CWE-200 CVE-2007-6514: Apache HTTP Server, when running on Linux with a document root on a Windows share mounted using smbf
Apache HTTP Server, when running on Linux with a document root on a Windows share mounted using smbfs, allows remote attackers to obtain unprocessed content such as source files for .php programs via a trailing "\" (backslash), which is not handled by the intended AddType directive.
nvd
CVE-2007-5000MEDIUMCVSS 4.3≥ 1.3.0, ≤ 1.3.39≥ 2.0.35, ≤ 2.0.61+1 more2007-12-13
CVE-2007-5000 [MEDIUM] CWE-79 CVE-2007-5000: Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0
Cross-site scripting (XSS) vulnerability in the (1) mod_imap module in the Apache HTTP Server 1.3.0 through 1.3.39 and 2.0.35 through 2.0.61 and the (2) mod_imagemap module in the Apache HTTP Server 2.2.0 through 2.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
nvd