| CVE-2022-37436 |
AVG-2824 |
Unknown |
Unknown |
Unknown |
Unknown |
| CVE-2022-36760 |
AVG-2824 |
Unknown |
Unknown |
Unknown |
Unknown |
| CVE-2022-31813 |
AVG-2763 |
Low |
Unknown |
Authentication bypass |
Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop... |
| CVE-2022-30556 |
AVG-2763 |
Low |
Unknown |
Information disclosure |
Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer. |
| CVE-2022-30522 |
AVG-2763 |
Low |
Unknown |
Denial of service |
If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make... |
| CVE-2022-29404 |
AVG-2763 |
Low |
Unknown |
Denial of service |
In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default... |
| CVE-2022-28615 |
AVG-2763 |
Low |
Unknown |
Information disclosure |
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely... |
| CVE-2022-28614 |
AVG-2763 |
Low |
Unknown |
Unknown |
The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input... |
| CVE-2022-26377 |
AVG-2763 |
Medium |
Yes |
Unknown |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle... |
| CVE-2021-42013 |
AVG-2450 |
Critical |
Yes |
Directory traversal |
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to... |
| CVE-2021-41773 |
AVG-2442 |
High |
Yes |
Directory traversal |
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files... |
| CVE-2021-41524 |
AVG-2442 |
Medium |
Yes |
Denial of service |
While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server.... |
| CVE-2021-40438 |
AVG-2289 |
High |
Yes |
Url request injection |
In Apache HTTP Server before version 2.4.49, a crafted request uri- path can cause mod_proxy to forward the request to an origin server choosen by the remote user. |
| CVE-2021-39275 |
AVG-2289 |
Low |
Yes |
Arbitrary code execution |
In Apache HTTP Server before version 2.4.49, ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass... |
| CVE-2021-36160 |
AVG-2289 |
Medium |
Yes |
Denial of service |
In Apache HTTP Server before version 2.4.49, a carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash... |
| CVE-2021-34798 |
AVG-2289 |
Medium |
Yes |
Denial of service |
Malformed requests may cause Apache HTTP Server before version 2.4.49 to dereference a NULL pointer, resulting in denial of service. |
| CVE-2021-33193 |
AVG-2289 |
Medium |
Yes |
Url request injection |
In Apache HTTP Server before version 2.4.49, a crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to... |
| CVE-2021-31618 |
AVG-2041 |
High |
Yes |
Denial of service |
A security issue has been found in the Apache HTTP Server (httpd) before version 2.4.48. The Apache HTTP Server protocol handler for the HTTP/2 protocol... |
| CVE-2021-30641 |
AVG-2053 |
Medium |
Yes |
Incorrect calculation |
Apache HTTP Server versions 2.4.39 to 2.4.46 displays unexpected matching behavior with 'MergeSlashes OFF'. |
| CVE-2021-26691 |
AVG-2053 |
Low |
Yes |
Arbitrary code execution |
In Apache HTTP Server versions 2.4.0 to 2.4.46, a specially crafted SessionHeader sent by an origin server could cause a heap overflow. |
| CVE-2021-26690 |
AVG-2053 |
Low |
Yes |
Denial of service |
In Apache HTTP Server versions 2.4.0 to 2.4.46, a specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash,... |
| CVE-2020-35452 |
AVG-2053 |
Low |
Yes |
Arbitrary code execution |
In Apache HTTP Server versions 2.4.0 to 2.4.46, a specially crafted digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this... |
| CVE-2020-13950 |
AVG-2053 |
Low |
Yes |
Denial of service |
In Apache HTTP Server versions 2.4.41 to 2.4.46, mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both... |
| CVE-2020-13938 |
AVG-2054 |
Medium |
No |
Denial of service |
In Apache HTTP Server versions 2.4.0 to 2.4.46, unprivileged local users can stop httpd on Windows. |
| CVE-2020-1934 |
AVG-1126 |
Low |
Yes |
Information disclosure |
The use of an uninitialized value has been found in Apache HTTP Server from 2.4.0 up to and including 2.4.41, in the mod_proxy_ftp module, when proxying to... |
| CVE-2020-1927 |
AVG-1126 |
Low |
Yes |
Open redirect |
A security issue has been found in Apache HTTP Server from 2.4.0 up to and including 2.4.41, in the mod_rewrite module, where redirects that were intended... |
| CVE-2019-17567 |
AVG-2053 |
Medium |
Yes |
Authentication bypass |
In Apache HTTP Server versions 2.4.6 to 2.4.46, mod_proxy_wstunnel configured on an URL that is not necessarily upgraded by the origin server was tunneling... |
| CVE-2019-0220 |
AVG-946 |
Low |
Yes |
Access restriction bypass |
A security issue has been found in Apache HTTPd 2.4.x before 2.4.39. When the path component of a request URL contains multiple consecutive slashes ('/'),... |
| CVE-2019-0217 |
AVG-946 |
High |
Yes |
Access restriction bypass |
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid... |
| CVE-2019-0215 |
AVG-946 |
High |
Yes |
Access restriction bypass |
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client... |
| CVE-2019-0211 |
AVG-946 |
Critical |
Yes |
Privilege escalation |
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads... |
| CVE-2019-0197 |
AVG-946 |
Medium |
Yes |
Denial of service |
An issue has been found in Apache HTTPd >= 2.4.34 and <= 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host,... |
| CVE-2019-0196 |
AVG-946 |
Medium |
Yes |
Denial of service |
A use-after-free issue has been found in the http/2 request handling code of Apache HTTPd <= 2.4.18 and <= 2.4.38. Using crafted network input, the http/2... |
| CVE-2019-0190 |
AVG-857 |
High |
Yes |
Denial of service |
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a... |
| CVE-2018-17199 |
AVG-857 |
Medium |
Yes |
Insufficient validation |
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time... |
| CVE-2018-17189 |
AVG-857 |
High |
Yes |
Denial of service |
By sending request bodies in a slow loris way to plain resources, the h2 stream of Apache HTTP Server before 2.4.38 for that request unnecessarily occupied... |
| CVE-2018-8011 |
AVG-736 |
Medium |
Yes |
Denial of service |
By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be... |
| CVE-2018-1333 |
AVG-736 |
Low |
Yes |
Denial of service |
By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. |
| CVE-2018-1312 |
AVG-664 |
Low |
Yes |
Content spoofing |
In Apache httpd 2.2.0 before 2.4.30, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly... |
| CVE-2018-1303 |
AVG-664 |
Low |
Yes |
Denial of service |
A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data... |
| CVE-2018-1302 |
AVG-664 |
Low |
Yes |
Denial of service |
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an... |
| CVE-2018-1301 |
AVG-664 |
Low |
Yes |
Denial of service |
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached... |
| CVE-2018-1283 |
AVG-664 |
Medium |
Yes |
Session hijacking |
In Apache httpd 2.2.0 before 2.4.30, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a... |
| CVE-2017-15715 |
AVG-664 |
Low |
Yes |
Access restriction bypass |
In Apache httpd 2.4.0 before 2.4.30, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than... |
| CVE-2017-15710 |
AVG-664 |
Low |
Yes |
Denial of service |
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language... |
| CVE-2017-9798 |
AVG-404 |
High |
Yes |
Information disclosure |
An use after free vulnerability has been discovered in Apache HTTP 2.4.27 that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS... |
| CVE-2017-9789 |
AVG-350 |
Critical |
Yes |
Arbitrary code execution |
A security issue has been found in apache's mod_http2 <= 2.4.26. When under stress, closing many connections, the HTTP/2 handling code would sometimes... |
| CVE-2017-9788 |
AVG-350 |
High |
Yes |
Information disclosure |
A security issue has been found in apache's mod_auth_digest <= 2.4.26, leading to information disclosure or denial of service. The value placeholder in... |
| CVE-2017-7679 |
AVG-316 |
Medium |
Yes |
Denial of service |
An out-of-bounds read has been found in Apache httpd < 2.4.26, where mod_mime can read one byte past the end of a buffer when a malicious Content-Type... |
| CVE-2017-7668 |
AVG-316 |
High |
Yes |
Information disclosure |
An out-of-bounds read has been found in Apache httpd < 2.4.26. The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list... |
| CVE-2017-7659 |
AVG-316 |
High |
Yes |
Denial of service |
A NULL-pointer dereference leading to denial of service has been found in the mod_http2 component of Apache httpd < 2.4.26. A maliciously constructed HTTP/2... |
| CVE-2017-3169 |
AVG-316 |
Medium |
Yes |
Denial of service |
A NULL-pointer dereference leading to denial of service has been found in the mod_ssl component of Apache httpd < 2.4.26. mod_ssl may dereference a NULL... |
| CVE-2017-3167 |
AVG-316 |
Medium |
Yes |
Authentication bypass |
An authentication bypass flaw has been found in Apache httpd < 2.4.26, where the use of the ap_get_basic_auth_pw() function by third-party modules outside... |
| CVE-2006-20001 |
AVG-2824 |
Unknown |
Unknown |
Unknown |
Unknown |