apache

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A high performance Unix-based HTTP server
Version 2.4.62-1 [extra]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2824 2.4.54-3 2.4.55-1 Unknown Fixed
AVG-2763 2.4.53-1 2.4.54-1 Medium Fixed
AVG-2450 2.4.50-1 2.4.51-1 Critical Fixed
AVG-2442 2.4.49-1 2.4.50-1 High Fixed
AVG-2289 2.4.48-1 2.4.49-1 High Fixed
AVG-2054 2.4.46-3 2.4.47-1 Medium Not affected
AVG-2053 2.4.46-3 2.4.47-1 Medium Fixed
AVG-2041 2.4.47-1 2.4.48-1 High Fixed
AVG-1126 2.4.41-1 2.4.43-1 Low Fixed
AVG-946 2.4.38-1 2.4.39-1 Critical Fixed
AVG-857 2.4.37-1 2.4.38-1 High Fixed
AVG-736 2.4.33-3 2.4.34-1 Medium Fixed
AVG-664 2.4.29-1 2.4.33-1 Medium Fixed
AVG-404 2.4.27-1 2.4.27-2 High Fixed
AVG-350 2.4.26-3 2.4.27-1 Critical Fixed
AVG-316 2.4.25-3 2.4.26-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2022-37436 AVG-2824 Unknown Unknown Unknown Unknown
CVE-2022-36760 AVG-2824 Unknown Unknown Unknown Unknown
CVE-2022-31813 AVG-2763 Low Unknown Authentication bypass
Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop...
CVE-2022-30556 AVG-2763 Low Unknown Information disclosure
Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.
CVE-2022-30522 AVG-2763 Low Unknown Denial of service
If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make...
CVE-2022-29404 AVG-2763 Low Unknown Denial of service
In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default...
CVE-2022-28615 AVG-2763 Low Unknown Information disclosure
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely...
CVE-2022-28614 AVG-2763 Low Unknown Unknown
The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input...
CVE-2022-26377 AVG-2763 Medium Yes Unknown
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle...
CVE-2021-42013 AVG-2450 Critical Yes Directory traversal
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to...
CVE-2021-41773 AVG-2442 High Yes Directory traversal
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files...
CVE-2021-41524 AVG-2442 Medium Yes Denial of service
While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server....
CVE-2021-40438 AVG-2289 High Yes Url request injection
In Apache HTTP Server before version 2.4.49, a crafted request uri- path can cause mod_proxy to forward the request to an origin server choosen by the remote user.
CVE-2021-39275 AVG-2289 Low Yes Arbitrary code execution
In Apache HTTP Server before version 2.4.49, ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass...
CVE-2021-36160 AVG-2289 Medium Yes Denial of service
In Apache HTTP Server before version 2.4.49, a carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash...
CVE-2021-34798 AVG-2289 Medium Yes Denial of service
Malformed requests may cause  Apache HTTP Server before version 2.4.49 to dereference a NULL pointer, resulting in denial of service.
CVE-2021-33193 AVG-2289 Medium Yes Url request injection
In Apache HTTP Server before version 2.4.49, a crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to...
CVE-2021-31618 AVG-2041 High Yes Denial of service
A security issue has been found in the Apache HTTP Server (httpd) before version 2.4.48. The Apache HTTP Server protocol handler for the HTTP/2 protocol...
CVE-2021-30641 AVG-2053 Medium Yes Incorrect calculation
Apache HTTP Server versions 2.4.39 to 2.4.46 displays unexpected matching behavior with 'MergeSlashes OFF'.
CVE-2021-26691 AVG-2053 Low Yes Arbitrary code execution
In Apache HTTP Server versions 2.4.0 to 2.4.46, a specially crafted SessionHeader sent by an origin server could cause a heap overflow.
CVE-2021-26690 AVG-2053 Low Yes Denial of service
In Apache HTTP Server versions 2.4.0 to 2.4.46, a specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash,...
CVE-2020-35452 AVG-2053 Low Yes Arbitrary code execution
In Apache HTTP Server versions 2.4.0 to 2.4.46, a specially crafted digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this...
CVE-2020-13950 AVG-2053 Low Yes Denial of service
In Apache HTTP Server versions 2.4.41 to 2.4.46, mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both...
CVE-2020-13938 AVG-2054 Medium No Denial of service
In Apache HTTP Server versions 2.4.0 to 2.4.46, unprivileged local users can stop httpd on Windows.
CVE-2020-1934 AVG-1126 Low Yes Information disclosure
The use of an uninitialized value has been found in Apache HTTP Server from 2.4.0 up to and including 2.4.41, in the mod_proxy_ftp module, when proxying to...
CVE-2020-1927 AVG-1126 Low Yes Open redirect
A security issue has been found in Apache HTTP Server from 2.4.0 up to and including 2.4.41, in the mod_rewrite module, where redirects that were intended...
CVE-2019-17567 AVG-2053 Medium Yes Authentication bypass
In Apache HTTP Server versions 2.4.6 to 2.4.46, mod_proxy_wstunnel configured on an URL that is not necessarily upgraded by the origin server was tunneling...
CVE-2019-0220 AVG-946 Low Yes Access restriction bypass
A security issue has been found in Apache HTTPd 2.4.x before 2.4.39. When the path component of a request URL contains multiple consecutive slashes ('/'),...
CVE-2019-0217 AVG-946 High Yes Access restriction bypass
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid...
CVE-2019-0215 AVG-946 High Yes Access restriction bypass
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client...
CVE-2019-0211 AVG-946 Critical Yes Privilege escalation
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads...
CVE-2019-0197 AVG-946 Medium Yes Denial of service
An issue has been found in Apache HTTPd >= 2.4.34 and <= 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host,...
CVE-2019-0196 AVG-946 Medium Yes Denial of service
A use-after-free issue has been found in the http/2 request handling code of Apache HTTPd <= 2.4.18 and <= 2.4.38. Using crafted network input, the http/2...
CVE-2019-0190 AVG-857 High Yes Denial of service
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a...
CVE-2018-17199 AVG-857 Medium Yes Insufficient validation
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time...
CVE-2018-17189 AVG-857 High Yes Denial of service
By sending request bodies in a slow loris way to plain resources, the h2 stream of Apache HTTP Server before 2.4.38 for that request unnecessarily occupied...
CVE-2018-8011 AVG-736 Medium Yes Denial of service
By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be...
CVE-2018-1333 AVG-736 Low Yes Denial of service
By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service.
CVE-2018-1312 AVG-664 Low Yes Content spoofing
In Apache httpd 2.2.0 before 2.4.30, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly...
CVE-2018-1303 AVG-664 Low Yes Denial of service
A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data...
CVE-2018-1302 AVG-664 Low Yes Denial of service
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an...
CVE-2018-1301 AVG-664 Low Yes Denial of service
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached...
CVE-2018-1283 AVG-664 Medium Yes Session hijacking
In Apache httpd 2.2.0 before 2.4.30, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a...
CVE-2017-15715 AVG-664 Low Yes Access restriction bypass
In Apache httpd 2.4.0 before 2.4.30, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than...
CVE-2017-15710 AVG-664 Low Yes Denial of service
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language...
CVE-2017-9798 AVG-404 High Yes Information disclosure
An use after free vulnerability has been discovered in Apache HTTP 2.4.27 that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS...
CVE-2017-9789 AVG-350 Critical Yes Arbitrary code execution
A security issue has been found in apache's mod_http2 <= 2.4.26. When under stress, closing many connections, the HTTP/2 handling code would sometimes...
CVE-2017-9788 AVG-350 High Yes Information disclosure
A security issue has been found in apache's mod_auth_digest <= 2.4.26, leading to information disclosure or denial of service. The value placeholder in...
CVE-2017-7679 AVG-316 Medium Yes Denial of service
An out-of-bounds read has been found in Apache httpd < 2.4.26, where mod_mime can read one byte past the end of a buffer when a malicious Content-Type...
CVE-2017-7668 AVG-316 High Yes Information disclosure
An out-of-bounds read has been found in Apache httpd < 2.4.26. The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list...
CVE-2017-7659 AVG-316 High Yes Denial of service
A NULL-pointer dereference leading to denial of service has been found in the mod_http2 component of Apache httpd < 2.4.26. A maliciously constructed HTTP/2...
CVE-2017-3169 AVG-316 Medium Yes Denial of service
A NULL-pointer dereference leading to denial of service has been found in the mod_ssl component of Apache httpd < 2.4.26. mod_ssl may dereference a NULL...
CVE-2017-3167 AVG-316 Medium Yes Authentication bypass
An authentication bypass flaw has been found in Apache httpd < 2.4.26, where the use of the ap_get_basic_auth_pw() function by third-party modules outside...
CVE-2006-20001 AVG-2824 Unknown Unknown Unknown Unknown

Advisories

Date Advisory Group Severity Type
21 Oct 2021 ASA-202110-1 AVG-2450 Critical directory traversal
09 Jun 2021 ASA-202106-23 AVG-2041 High denial of service
15 Apr 2020 ASA-202004-14 AVG-1126 Low multiple issues
05 Apr 2019 ASA-201904-3 AVG-946 Critical multiple issues
24 Jan 2019 ASA-201901-14 AVG-857 High multiple issues
20 Jul 2018 ASA-201807-12 AVG-736 Medium denial of service
04 Apr 2018 ASA-201804-4 AVG-664 Medium multiple issues
18 Sep 2017 ASA-201709-15 AVG-404 High information disclosure
14 Jul 2017 ASA-201707-15 AVG-350 Critical multiple issues
28 Jun 2017 ASA-201706-34 AVG-316 High multiple issues