Apache Httpd vulnerabilities

CVE-2021-41773 [CRITICAL] Apache httpd: CVE-2021-41773 Apache httpd: CVE-2021-41773 It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathe

CVE-2019-0190 [HIGH] Apache httpd: CVE-2019-0190 Apache httpd: CVE-2019-0190 A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts. Acknowledgements: The issue was discovered th

CVE-2022-23943 [HIGH] Apache httpd: CVE-2022-23943 Apache httpd: CVE-2022-23943 Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions. Acknowledgements: Ronald Crane (Zippenhop LLC) Reported to security team 2022-01-13 fixed by r1898695, r1898772 in 2.4.x 2022-03-09 Update 2.4.53 released 2022-03-14 Affects <=2.4.52 Severity: h

CVE-2014-3523 [HIGH] Apache httpd: CVE-2014-3523 Apache httpd: CVE-2014-3523 A flaw was found in the WinNT MPM in httpd versions 2.4.1 to 2.4.9, when using the default AcceptFilter for that platform. A remote attacker could send carefully crafted requests that would leak memory and eventually lead to a denial of service against the server. Acknowledgements: This issue was reported by Jeff Trawick of the ASF Reported to security team 2014-07-01 Issue public 2014-07-15 Update 2.4.10 released 2014-

CVE-2021-40438 [HIGH] Apache httpd: CVE-2021-40438 Apache httpd: CVE-2021-40438 A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. Acknowledgements: The issue was discovered by the Apache HTTP security team while analysing CVE-2021-36160 Update 2.4.49 released 2021-09-16 Affects <=2.4.48 Severity: high

CVE-2012-3502 [HIGH] Apache httpd: CVE-2012-3502 Apache httpd: CVE-2012-3502 The modules mod_proxy_ajp and mod_proxy_http did not always close the connection to the back end server when necessary as part of error handling. This could lead to an information disclosure due to a response mixup between users. Reported to security team 2012-08-16 Issue public 2012-08-16 Update 2.4.3 released 2012-08-21 Affects 2.4.2, 2.4.1 Severity: high

CVE-2024-39884 [HIGH] Apache httpd: CVE-2024-39884 Apache httpd: CVE-2024-39884 A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.

CVE-2017-9789 [HIGH] Apache httpd: CVE-2017-9789 Apache httpd: CVE-2017-9789 When under stress, closing many connections, the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour. Acknowledgements: We would like to thank Robert Święcki for reporting this issue. Reported to security team 2017-06-30 Issue public 2017-07-11 Update 2.4.27 released 2017-07-11 Affects 2.4.26 Severity: high

CVE-2016-4979 [HIGH] Apache httpd: CVE-2016-4979 Apache httpd: CVE-2016-4979 For configurations enabling support for HTTP/2, SSL client certificate validation was not enforced if configured, allowing clients unauthorized access to protected resources over HTTP/2. This issue affected releases 2.4.18 and 2.4.20 only. Acknowledgements: This issue was reported by Erki Aring. Reported to security team 2016-06-30 Issue public 2016-07-05 Update 2.4.23 released 2016-07-05 Affects 2.4.20, 2.4.18 Severity

CVE-2010-2068 [HIGH] Apache httpd: CVE-2010-2068 Apache httpd: CVE-2010-2068 An information disclosure flaw was found in mod_proxy_http in versions 2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha. Under certain timeout conditions, the server could return a response intended for another user. Only Windows, Netware and OS2 operating systems are affected. Only those configurations which trigger the use of proxy worker pools are affected. There was no vulnerability on earlier versions, as proxy po

CVE-2024-40898 [HIGH] Apache httpd: CVE-2024-40898 Apache httpd: CVE-2024-40898 SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue. Acknowledgements: finder: Smi1e (DBAPPSecurity Ltd.) finder: xiaojunjie (DBAPPSecurity Ltd.) Reported to security team 2024-07-12 fixed by r1919248 in 2.4.x 2024-07-15 Upd

CVE-2021-44790 [HIGH] Apache httpd: CVE-2021-44790 Apache httpd: CVE-2021-44790 A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. Acknowledgements: Chamal Reported to security team 2021-12-07 Fixed by r1896039 in 2.4.x 2021-12-16 Update 2.4.52 re

CVE-2021-31618 [HIGH] Apache httpd: CVE-2021-31618 Apache httpd: CVE-2021-31618 Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offen

CVE-2011-3192 [HIGH] Apache httpd: CVE-2011-3192 Apache httpd: CVE-2011-3192 A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. This could be used in a denial of service attack. Advisory: CVE-2011-3192.txt Reported to security team 2011-08-20 Issue public 2011-08-20 Update 2.2.20 released 2011-08-30 Update 2.0.

CVE-2017-7679 [HIGH] Apache httpd: CVE-2017-7679 Apache httpd: CVE-2017-7679 mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. Acknowledgements: We would like to thank ChenQin and Hanno Böck for reporting this issue. Reported to security team 2015-11-15 Issue public 2017-06-19 Update 2.4.26 released 2017-06-19 Update 2.2.34 released 2017-07-11 Affects 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.

CVE-2006-3747 [HIGH] Apache httpd: CVE-2006-3747 Apache httpd: CVE-2006-3747 An off-by-one flaw exists in the Rewrite module, mod_rewrite. Depending on the manner in which Apache httpd was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potent

CVE-2010-2791 [HIGH] Apache httpd: CVE-2010-2791 Apache httpd: CVE-2010-2791 An information disclosure flaw was found in mod_proxy_http in version 2.2.9 only, on Unix platforms. Under certain timeout conditions, the server could return a response intended for another user. Only those configurations which trigger the use of proxy worker pools are affected. There was no vulnerability on earlier versions, as proxy pools were not yet introduced. The simplest workaround is to globally configure: SetE

CVE-2009-2412 [LOW] Apache httpd: CVE-2009-2412 Apache httpd: CVE-2009-2412 A flaw in apr_palloc() in the bundled copy of APR could cause heap overflows in programs that try to apr_palloc() a user controlled size. The Apache HTTP Server itself does not pass unsanitized user-provided sizes to this function, so it could only be triggered through some other application which uses apr_palloc() in a vulnerable way. Reported to security team 2009-07-27 Issue public 2009-08-04 Update 2.2.13 released 20

CVE-2016-1546 [LOW] Apache httpd: CVE-2016-1546 Apache httpd: CVE-2016-1546 By manipulating the flow control windows on streams, a client was able to block server threads for long times, causing starvation of worker threads. Connections could still be opened, but no streams where processed for these. This issue affected HTTP/2 support in 2.4.17 and 2.4.18. Acknowledgements: This issue was reported by Noam Mazor. Reported to security team 2016-02-02 Issue public 2016-04-11 Update 2.4.20 released

CVE-2010-0434 [LOW] Apache httpd: CVE-2010-0434 Apache httpd: CVE-2010-0434 A flaw in the core subrequest process code was fixed, to always provide a shallow copy of the headers_in array to the subrequest, instead of a pointer to the parent request's array as it had for requests without request bodies. This meant all modules such as mod_headers which may manipulate the input headers for a subrequest would poison the parent request in two ways, one by modifying the parent request, which might not