Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Http_server
(Apache)| Repositories | https://github.com/apache/httpd |
| #Vulnerabilities | 287 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2008-01-12 | CVE-2007-6423 | Unspecified vulnerability in mod_proxy_balancer for Apache HTTP Server 2.2.x before 2.2.7-dev, when running on Windows, allows remote attackers to trigger memory corruption via a long URL. NOTE: the vendor could not reproduce this issue | Http_server | N/A | ||
| 2019-04-08 | CVE-2019-0211 | In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected. | Http_server, Ubuntu_linux, Debian_linux, Fedora, Oncommand_unified_manager, Leap, Communications_session_report_manager, Communications_session_route_manager, Enterprise_manager_ops_center, Http_server, Instantis_enterprisetrack, Retail_xstore_point_of_service, Enterprise_linux, Enterprise_linux_eus, Enterprise_linux_for_arm_64, Enterprise_linux_for_arm_64_eus, Enterprise_linux_for_ibm_z_systems, Enterprise_linux_for_ibm_z_systems_eus, Enterprise_linux_for_power_little_endian, Enterprise_linux_for_power_little_endian_eus, Enterprise_linux_server_aus, Enterprise_linux_server_tus, Enterprise_linux_update_services_for_sap_solutions, Jboss_core_services, Openshift_container_platform, Openshift_container_platform_for_power, Software_collections | 7.8 | ||
| 2021-06-10 | CVE-2019-17567 | Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured. | Http_server, Fedora, Enterprise_manager_ops_center, Instantis_enterprisetrack, Zfs_storage_appliance_kit | 5.3 | ||
| 2008-01-12 | CVE-2007-6420 | Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x allows remote attackers to gain privileges via unspecified vectors. | Http_server, Ubuntu_linux | N/A | ||
| 2011-05-16 | CVE-2011-0419 | Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd. | Http_server, Portable_runtime, Mac_os_x, Debian_linux, Freebsd, Android, Netbsd, Openbsd, Solaris, Linux_enterprise_server | N/A | ||
| 2009-11-03 | CVE-2009-3720 | The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625. | Http_server, Libexpat | N/A | ||
| 2004-05-04 | CVE-2004-0174 | Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket." | Http_server | 7.5 | ||
| 2007-06-27 | CVE-2007-1863 | cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value. | Http_server, Mac_os_x_server | N/A | ||
| 2009-05-28 | CVE-2009-1195 | The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file. | Http_server | N/A | ||
| 2009-10-13 | CVE-2009-2699 | The Solaris pollset feature in the Event Port backend in poll/unix/port.c in the Apache Portable Runtime (APR) library before 1.3.9, as used in the Apache HTTP Server before 2.2.14 and other products, does not properly handle errors, which allows remote attackers to cause a denial of service (daemon hang) via unspecified HTTP requests, related to the prefork and event MPMs. | Http_server, Portable_runtime | 7.5 |