Product:

Http_server

(Oracle)
Repositories

Unknown:

This might be proprietary software.

#Vulnerabilities 101
Date Id Summary Products Score Patch Annotated
2014-03-18 CVE-2014-0098 The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation. Http_server, Ubuntu_linux, Http_server, Secure_global_desktop N/A
2014-04-15 CVE-2013-5704 The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such." Http_server, Mac_os_x, Mac_os_x_server, Ubuntu_linux, Enterprise_manager_ops_center, Http_server, Linux, Solaris, Enterprise_linux_desktop, Enterprise_linux_eus, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_tus, Enterprise_linux_workstation, Jboss_enterprise_web_server N/A
2014-07-20 CVE-2014-0226 Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c. Http_server, Debian_linux, Enterprise_manager_ops_center, Http_server, Secure_global_desktop, Jboss_enterprise_application_platform N/A
2015-12-06 CVE-2015-3195 The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application. Mac_os_x, Ubuntu_linux, Debian_linux, Fedora, Openssl, Leap, Opensuse, Api_gateway, Communications_webrtc_session_controller, Exalogic_infrastructure, Http_server, Integrated_lights_out_manager_firmware, Life_sciences_data_hub, Linux, Solaris, Sun_ray_software, Transportation_management, Vm_server, Vm_virtualbox, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_tus, Enterprise_linux_workstation, Linux_enterprise_server 5.3
2019-02-06 CVE-2018-16890 libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds. Ubuntu_linux, Debian_linux, Big\-Ip_access_policy_manager, Libcurl, Clustered_data_ontap, Communications_operations_monitor, Http_server, Secure_global_desktop, Enterprise_linux, Sinema_remote_connect_client 7.5
2019-02-06 CVE-2019-3822 libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow... Ubuntu_linux, Debian_linux, Libcurl, Active_iq_unified_manager, Clustered_data_ontap, Oncommand_insight, Oncommand_workflow_automation, Snapcenter, Communications_operations_monitor, Enterprise_manager_ops_center, Http_server, Mysql_server, Secure_global_desktop, Services_tools_bundle, Enterprise_linux, Sinema_remote_connect_client 9.8
2019-02-06 CVE-2019-3823 libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller. Ubuntu_linux, Debian_linux, Libcurl, Clustered_data_ontap, Communications_operations_monitor, Http_server, Secure_global_desktop 7.5
2019-04-08 CVE-2019-0217 In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. Http_server, Ubuntu_linux, Debian_linux, Fedora, Clustered_data_ontap, Oncommand_unified_manager, Leap, Enterprise_manager_ops_center, Http_server, Retail_xstore_point_of_service, Enterprise_linux, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_workstation 7.5
2019-06-11 CVE-2019-0197 A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this issue. Http_server, Ubuntu_linux, Fedora, Leap, Communications_session_report_manager, Communications_session_route_manager, Enterprise_manager_ops_center, Http_server, Instantis_enterprisetrack, Retail_xstore_point_of_service, Jboss_core_services 4.2
2019-06-24 CVE-2018-20843 In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). Ubuntu_linux, Debian_linux, Fedora, Libexpat, Leap, Hospitality_res_3700, Http_server, Outside_in_technology, Nessus 7.5