Apache Httpd vulnerabilities

CVE-2017-9798 [LOW] Apache httpd: CVE-2017-9798 Apache httpd: CVE-2017-9798 When an unrecognized HTTP Method is given in an directive in an .htaccess file, and that .htaccess file is processed by the corresponding request, the global methods table is corrupted in the current worker process, resulting in erratic behaviour. This behavior may be avoided by listing all unusual HTTP Methods in a global httpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and later. To permit other .htacces

CVE-2022-31813 [LOW] Apache httpd: CVE-2022-31813 Apache httpd: CVE-2022-31813 Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Acknowledgements: The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue Update 2.4.54 released 2022-06-08 Affects <=2.4.53 Severit

CVE-2008-0005 [LOW] Apache httpd: CVE-2008-0005 Apache httpd: CVE-2008-0005 A workaround was added in the mod_proxy_ftp module. On sites where mod_proxy_ftp is enabled and a forward proxy is configured, a cross-site scripting attack is possible against Web browsers which do not correctly derive the response character set following the rules in RFC 2616. Reported to security team 2007-12-15 Issue public 2008-01-08 Update 2.0.63 released 2008-01-19 Update 2.2.8 released 2008-01-19 Affects 2.2.6, 2

CVE-2020-11985 [LOW] Apache httpd: CVE-2020-11985 Apache httpd: CVE-2020-11985 For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020. Acknowledgements: Reported to security team 2016-10-13 Issue public 2020-08-07 Update 2.4.25 released 2020-08-07 Affects 2.4.23, 2.4.20, 2.4.18, 2.4.17

CVE-2013-4352 [LOW] Apache httpd: CVE-2013-4352 Apache httpd: CVE-2013-4352 A NULL pointer dereference was found in mod_cache. A malicious HTTP server could cause a crash in a caching forward proxy configuration. (Note that this vulnerability was fixed in the 2.4.7 release, but the security impact was not disclosed at the time of the release.) Reported to security team 2013-09-14 Issue public 2014-07-14 Update 2.4.7 released 2013-11-26 Affects 2.4.6 Severity: low

CVE-2012-0883 [LOW] Apache httpd: CVE-2012-0883 Apache httpd: CVE-2012-0883 Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory. Reported to security team 2012-02-14 Issue public 2012-03-02 Update 2.4.2 released 2012-04-17 Update 2.2.23 released 2012-09-13 Affects 2.4.1, 2.2.22, 2.2.21, 2.2.20, 2.2.19, 2.2.18, 2.

CVE-2010-1623 [LOW] Apache httpd: CVE-2010-1623 Apache httpd: CVE-2010-1623 A flaw was found in the apr_brigade_split_line() function of the bundled APR-util library, used to process non-SSL requests. A remote attacker could send requests, carefully crafting the timing of individual bytes, which would slowly consume memory, potentially leading to a denial of service. Reported to security team 2010-03-03 Issue public 2010-10-01 Update 2.2.17 released 2010-10-19 Update 2.0.64 released 2010-10-19 A

CVE-2019-10098 [LOW] Apache httpd: CVE-2019-10098 Apache httpd: CVE-2019-10098 Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. Acknowledgements: The issue was discovered by Yukitsugu Sasaki Reported to security team 2019-03-26 Issue public 2019-08-14 Update 2.4.41 released 2019-08-14 Affects 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28

CVE-2014-0098 [LOW] Apache httpd: CVE-2014-0098 Apache httpd: CVE-2014-0098 A flaw was found in mod_log_config. A remote attacker could send a specific truncated cookie causing a crash. This crash would only be a denial of service if using a threaded MPM. Acknowledgements: This issue was reported by Rainer M Canavan Reported to security team 2014-02-25 Issue public 2014-03-17 Update 2.4.9 released 2014-03-17 Update 2.2.27 released 2014-03-26 Affects 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.2.

CVE-2020-1934 [LOW] Apache httpd: CVE-2020-1934 Apache httpd: CVE-2020-1934 in Apache HTTP Server versions 2.4.0 to 2.4.41, mod_proxy_ftp use of uninitialized value with malicious FTP backend. Acknowledgements: The issue was discovered by Chamal De Silva Reported to security team 2020-01-03 Issue public 2020-04-01 Update 2.4.42 released 2020-04-01 Affects 2.4.41, 2.4.40, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17

CVE-2005-3357 [LOW] Apache httpd: CVE-2005-3357 Apache httpd: CVE-2005-3357 A NULL pointer dereference flaw in mod_ssl was discovered affecting server configurations where an SSL virtual host is configured with access control and a custom 400 error document. A remote attacker could send a carefully crafted request to trigger this issue which would lead to a crash. This crash would only be a denial of service if using the worker MPM. Reported to security team 2005-12-05 Issue public 2005-12-12 Up

CVE-2018-1312 [LOW] Apache httpd: CVE-2018-1312 Apache httpd: CVE-2018-1312 When generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. Acknowledgements: The issue was discovered by Nicolas Daniels. Reported to security team 2013-03-05 Issue public 2

CVE-2015-3185 [LOW] Apache httpd: CVE-2015-3185 Apache httpd: CVE-2015-3185 A design error in the "ap_some_auth_required" function renders the API unusuable in httpd 2.4.x. In particular the API is documented to answering if the request required authentication but only answers if there are Require lines in the applicable configuration. Since 2.4.x Require lines are used for authorization as well and can appear in configurations even when no authentication is required and the request is entirely

CVE-2014-8109 [LOW] Apache httpd: CVE-2014-8109 Apache httpd: CVE-2014-8109 Fix handling of the Require line in mod_lau when a LuaAuthzProvider is used in multiple Require directives with different arguments. This could lead to different authentication rules than expected. Reported to security team 2014-11-09 Issue public 2014-11-09 Update 2.4.12 released 2015-01-30 Affects 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1 Severity: low

CVE-2012-4557 [LOW] Apache httpd: CVE-2012-4557 Apache httpd: CVE-2012-4557 A flaw was found when mod_proxy_ajp connects to a backend server that takes too long to respond. Given a specific configuration, a remote attacker could send certain requests, putting a backend server into an error state until the retry timeout expired. This could lead to a temporary denial of service. Reported to security team 2012-10-11 Issue public 2012-01-04 Update 2.2.22 released 2012-01-31 Affects 2.2.21, 2.2.20, 2

CVE-2009-3095 [LOW] Apache httpd: CVE-2009-3095 Apache httpd: CVE-2009-3095 A flaw was found in the mod_proxy_ftp module. In a reverse proxy configuration, a remote attacker could use this flaw to bypass intended access restrictions by creating a carefully-crafted HTTP Authorization header, allowing the attacker to send arbitrary commands to the FTP server. Reported to security team 2009-09-03 Issue public 2009-09-03 Update 2.2.14 released 2009-10-05 Update 2.0.64 released 2010-10-19 Affects 2.2

CVE-2019-0220 [LOW] Apache httpd: CVE-2019-0220 Apache httpd: CVE-2019-0220 When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. Acknowledgements: The issue was discovered by Bernhard Lorenz of Alpha Strike Labs GmbH. Reported to security team 2019-01-20 Issue public 2019-04-01 Update 2.4.

CVE-2018-11763 [LOW] Apache httpd: CVE-2018-11763 Apache httpd: CVE-2018-11763 By sending continous SETTINGS frames of maximum size an ongoing HTTP/2 connection could be kept busy and would never time out. This can be abused for a DoS on the server. This only affect a server that has enabled the h2 protocol. Acknowledgements: The issue was discovered by Gal Goldshtein of F5 Networks. Reported to security team 2018-07-18 Issue public 2018-09-25 Update 2.4.35 released 2018-09-29 Affects 2.4.34, 2.

CVE-2009-1956 Apache httpd: CVE-2009-1956 Apache httpd: CVE-2009-1956 An off-by-one overflow flaw was found in the way the bundled copy of the APR-util library processed a variable list of arguments. An attacker could provide a specially-crafted string as input for the formatted output conversion routine, which could, on big-endian platforms, potentially lead to the disclosure of sensitive information or a denial of service. Reported to security team 2009-04-24 Issue public 2009-04-24 Update 2.2

CVE-2013-2249 Apache httpd: CVE-2013-2249 Apache httpd: CVE-2013-2249 A flaw in mod_session_dbd caused it to proceed with save operations for a session without considering the dirty flag and the requirement for a new session ID. Acknowledgements: This issue was reported by Takashi Sato Reported to security team 2013-05-29 Issue public 2013-07-22 Update 2.4.6 released 2013-07-22 Affects 2.4.4, 2.4.3, 2.4.2, 2.4.1 Severity: moderate