Search for packages
| purl | pkg:apache/httpd@2.2.20 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1189-ej89-hybs
Aliases: CVE-2017-3169 |
mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. |
Affected by 1 other vulnerability. Affected by 32 other vulnerabilities. |
|
VCID-1bv2-mkj8-ubaz
Aliases: CVE-2013-1862 |
mod_rewrite does not filter terminal escape sequences from logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. |
Affected by 15 other vulnerabilities. |
|
VCID-1d24-sy5z-jfhh
Aliases: CVE-2013-5704 |
HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. This fix adds the "MergeTrailers" directive to restore legacy behavior. |
Affected by 9 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-1zk6-7wv2-ukcz
Aliases: CVE-2014-0118 |
A resource consumption flaw was found in mod_deflate. If request body decompression was configured (using the "DEFLATE" input filter), a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration. |
Affected by 9 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-2xc4-7zg9-y7fw
Aliases: CVE-2016-5387 |
HTTP_PROXY is a well-defined environment variable in a CGI process, which collided with a number of libraries which failed to avoid colliding with this CGI namespace. A mitigation is provided for the httpd CGI environment to avoid populating the "HTTP_PROXY" variable from a "Proxy:" header, which has never been registered by IANA. This workaround and patch are documented in the ASF Advisory at asf-httpoxy-response.txt and incorporated in the 2.4.25 and 2.2.32 releases. Note: This is not assigned an httpd severity, as it is a defect in other software which overloaded well-established CGI environment variables, and does not reflect an error in HTTP server software. |
Affected by 6 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-53da-z9gn-n7f2
Aliases: CVE-2012-0021 |
A flaw was found in mod_log_config. If the '%{cookiename}C' log format string is in use, a remote attacker could send a specific cookie causing a crash. This crash would only be a denial of service if using a threaded MPM. |
Affected by 21 other vulnerabilities. |
|
VCID-5bej-9h7w-33c8
Aliases: CVE-2017-9798 |
When an unrecognized HTTP Method is given in an <Limit {method}> directive in an .htaccess file, and that .htaccess file is processed by the corresponding request, the global methods table is corrupted in the current worker process, resulting in erratic behaviour. This behavior may be avoided by listing all unusual HTTP Methods in a global httpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and later. To permit other .htaccess directives while denying the <Limit > directive, see the AllowOverrideList directive. Source code patch (2.4) is at; CVE-2017-9798-patch-2.4.patch Source code patch (2.2) is at; CVE-2017-9798-patch-2.2.patch Note 2.2 is end-of-life, no further release with this fix is planned. Users are encouraged to migrate to 2.4.28 or later for this and other fixes. |
Affected by 29 other vulnerabilities. |
|
VCID-5yez-d5nj-q7eq
Aliases: CVE-2011-3607 |
An integer overflow flaw was found which, when the mod_setenvif module is enabled, could allow local users to gain privileges via a .htaccess file. |
Affected by 21 other vulnerabilities. |
|
VCID-6bez-sgg8-cbbq
Aliases: CVE-2012-2687 |
Possible XSS for sites which use mod_negotiation and allow untrusted uploads to locations which have MultiViews enabled. Note: This issue is also known as CVE-2008-0455. |
Affected by 19 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-6pzx-1e5t-xbes
Aliases: CVE-2013-6438 |
XML parsing code in mod_dav incorrectly calculates the end of the string when removing leading spaces and places a NUL character outside the buffer, causing random crashes. This XML parsing code is only used with DAV provider modules that support DeltaV, of which the only publicly released provider is mod_dav_svn. |
Affected by 13 other vulnerabilities. Affected by 40 other vulnerabilities. |
|
VCID-6vze-zk58-7yep
Aliases: CVE-2011-3348 |
A flaw was found when mod_proxy_ajp is used together with mod_proxy_balancer. Given a specific configuration, a remote attacker could send certain malformed HTTP requests, putting a backend server into an error state until the retry timeout expired. This could lead to a temporary denial of service. |
Affected by 28 other vulnerabilities. |
|
VCID-8axm-4anr-27ht
Aliases: CVE-2013-1896 |
Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. |
Affected by 15 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-8gcm-7q3n-q7bm
Aliases: CVE-2016-4975 |
Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. |
Affected by 6 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-d4rc-pnv5-6uc8
Aliases: CVE-2012-0053 |
A flaw was found in the default error response for status code 400. This flaw could be used by an attacker to expose "httpOnly" cookies when no custom ErrorDocument is specified. |
Affected by 21 other vulnerabilities. |
|
VCID-ese4-47tg-efbw
Aliases: CVE-2012-0883 |
Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory. |
Affected by 19 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-fyrq-yg2u-jkc7
Aliases: CVE-2017-7679 |
mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. |
Affected by 1 other vulnerability. Affected by 32 other vulnerabilities. |
|
VCID-gu44-7hkr-muae
Aliases: CVE-2011-4317 |
An additional exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker. |
Affected by 21 other vulnerabilities. |
|
VCID-jt89-ruvk-1kbj
Aliases: CVE-2017-9788 |
The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-k4kb-21tp-4kc8
Aliases: CVE-2015-3183 |
An HTTP request smuggling attack was possible due to a bug in parsing of chunked requests. A malicious client could force the server to misinterpret the request length, allowing cache poisoning or credential hijacking if an intermediary proxy is in use. |
Affected by 8 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-ke1s-451y-p3cz
Aliases: CVE-2014-0098 |
A flaw was found in mod_log_config. A remote attacker could send a specific truncated cookie causing a crash. This crash would only be a denial of service if using a threaded MPM. |
Affected by 13 other vulnerabilities. Affected by 40 other vulnerabilities. |
|
VCID-kpew-rarv-83dg
Aliases: CVE-2014-0231 |
A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI scripts which did not consume standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service. |
Affected by 9 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-n9e1-c2zs-zkdk
Aliases: CVE-2012-4557 |
A flaw was found when mod_proxy_ajp connects to a backend server that takes too long to respond. Given a specific configuration, a remote attacker could send certain requests, putting a backend server into an error state until the retry timeout expired. This could lead to a temporary denial of service. |
Affected by 21 other vulnerabilities. |
|
VCID-pc2n-ga7g-byga
Aliases: CVE-2016-8743 |
Apache HTTP Server, prior to release 2.4.25 (and 2.2.32), accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines was treated as whitespace and remained in the request field member "the_request", while a bare CR in the request header field name would be honored as whitespace, and a bare CR in the request header field value was retained the input headers array. Implied additional whitespace was accepted in the request line and prior to the ':' delimiter of any request header lines. RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section 3.2.3 eliminated and clarified the role of implied whitespace in the grammer of this specification. Section 3.1.1 requires exactly one single SP between the method and request-target, and between the request-target and HTTP-version, followed immediately by a CRLF sequence. None of these fields permit any (unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed any whitespace from the request header field prior to the ':' character, while Section 3.2 disallows all CTL characters in the request header line other than the HTAB character as whitespace. These defects represent a security concern when httpd is participating in any chain of proxies or interacting with back-end application servers, either through mod_proxy or using conventional CGI mechanisms. In each case where one agent accepts such CTL characters and does not treat them as whitespace, there is the possiblity in a proxy chain of generating two responses from a server behind the uncautious proxy agent. In a sequence of two requests, this results in request A to the first proxy being interpreted as requests A + A' by the backend server, and if requests A and B were submitted to the first proxy in a keepalive connection, the proxy may interpret response A' as the response to request B, polluting the cache or potentially serving the A' content to a different downstream user-agent. These defects are addressed with the release of Apache HTTP Server 2.4.25 and coordinated by a new directive; HttpProtocolOptions Strict which is the default behavior of 2.4.25 and later. By toggling from 'Strict' behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow some invalid HTTP/1.1 clients to communicate with the server, but this will reintroduce the possibility of the problems described in this assessment. Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs other than HTAB (where permitted), but will allow other RFC requirements to not be enforced, such as exactly two SP characters in the request line. |
Affected by 6 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-prd8-51a5-pygj
Aliases: CVE-2011-3368 |
An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations using RewriteRule with proxy flag or ProxyPassMatch, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to attacker. No update of 1.3 will be released. Patches will be published to https://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/ |
Affected by 21 other vulnerabilities. |
|
VCID-qayj-kts9-3fde
Aliases: CVE-2017-3167 |
Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request. |
Affected by 1 other vulnerability. Affected by 32 other vulnerabilities. |
|
VCID-rhk3-ujc1-q7fj
Aliases: CVE-2012-3499 |
Various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. |
Affected by 15 other vulnerabilities. Affected by 40 other vulnerabilities. |
|
VCID-ssvj-7g27-1ug6
Aliases: CVE-2012-4558 |
A XSS flaw affected the mod_proxy_balancer manager interface. |
Affected by 15 other vulnerabilities. Affected by 40 other vulnerabilities. |
|
VCID-tbud-pwyt-aye9
Aliases: CVE-2014-0226 |
A race condition was found in mod_status. An attacker able to access a public server status page on a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a default or recommended configuration to have a public accessible server status page. |
Affected by 9 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-ym93-sxb8-fkdm
Aliases: CVE-2012-0031 |
A flaw was found in the handling of the scoreboard. An unprivileged child process could cause the parent process to crash at shutdown rather than terminate cleanly. |
Affected by 21 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-kkfv-4jd1-bqdm | A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header. This could be used in a denial of service attack. Advisory: CVE-2011-3192.txt |
CVE-2011-3192
|
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:36:21.398603+00:00 | Apache HTTPD Importer | Affected by | VCID-5bej-9h7w-33c8 | https://httpd.apache.org/security/json/CVE-2017-9798.json | 38.0.0 |
| 2026-04-01T12:36:21.223688+00:00 | Apache HTTPD Importer | Affected by | VCID-jt89-ruvk-1kbj | https://httpd.apache.org/security/json/CVE-2017-9788.json | 38.0.0 |
| 2026-04-01T12:36:21.056068+00:00 | Apache HTTPD Importer | Affected by | VCID-fyrq-yg2u-jkc7 | https://httpd.apache.org/security/json/CVE-2017-7679.json | 38.0.0 |
| 2026-04-01T12:36:20.849968+00:00 | Apache HTTPD Importer | Affected by | VCID-1189-ej89-hybs | https://httpd.apache.org/security/json/CVE-2017-3169.json | 38.0.0 |
| 2026-04-01T12:36:20.691040+00:00 | Apache HTTPD Importer | Affected by | VCID-qayj-kts9-3fde | https://httpd.apache.org/security/json/CVE-2017-3167.json | 38.0.0 |
| 2026-04-01T12:36:20.546058+00:00 | Apache HTTPD Importer | Affected by | VCID-pc2n-ga7g-byga | https://httpd.apache.org/security/json/CVE-2016-8743.json | 38.0.0 |
| 2026-04-01T12:36:20.378012+00:00 | Apache HTTPD Importer | Affected by | VCID-2xc4-7zg9-y7fw | https://httpd.apache.org/security/json/CVE-2016-5387.json | 38.0.0 |
| 2026-04-01T12:36:20.204897+00:00 | Apache HTTPD Importer | Affected by | VCID-8gcm-7q3n-q7bm | https://httpd.apache.org/security/json/CVE-2016-4975.json | 38.0.0 |
| 2026-04-01T12:36:19.952607+00:00 | Apache HTTPD Importer | Affected by | VCID-k4kb-21tp-4kc8 | https://httpd.apache.org/security/json/CVE-2015-3183.json | 38.0.0 |
| 2026-04-01T12:36:19.691580+00:00 | Apache HTTPD Importer | Affected by | VCID-kpew-rarv-83dg | https://httpd.apache.org/security/json/CVE-2014-0231.json | 38.0.0 |
| 2026-04-01T12:36:19.565733+00:00 | Apache HTTPD Importer | Affected by | VCID-tbud-pwyt-aye9 | https://httpd.apache.org/security/json/CVE-2014-0226.json | 38.0.0 |
| 2026-04-01T12:36:19.444646+00:00 | Apache HTTPD Importer | Affected by | VCID-1zk6-7wv2-ukcz | https://httpd.apache.org/security/json/CVE-2014-0118.json | 38.0.0 |
| 2026-04-01T12:36:19.307099+00:00 | Apache HTTPD Importer | Affected by | VCID-ke1s-451y-p3cz | https://httpd.apache.org/security/json/CVE-2014-0098.json | 38.0.0 |
| 2026-04-01T12:36:19.185478+00:00 | Apache HTTPD Importer | Affected by | VCID-6pzx-1e5t-xbes | https://httpd.apache.org/security/json/CVE-2013-6438.json | 38.0.0 |
| 2026-04-01T12:36:19.029492+00:00 | Apache HTTPD Importer | Affected by | VCID-1d24-sy5z-jfhh | https://httpd.apache.org/security/json/CVE-2013-5704.json | 38.0.0 |
| 2026-04-01T12:36:18.895220+00:00 | Apache HTTPD Importer | Affected by | VCID-8axm-4anr-27ht | https://httpd.apache.org/security/json/CVE-2013-1896.json | 38.0.0 |
| 2026-04-01T12:36:18.774092+00:00 | Apache HTTPD Importer | Affected by | VCID-1bv2-mkj8-ubaz | https://httpd.apache.org/security/json/CVE-2013-1862.json | 38.0.0 |
| 2026-04-01T12:36:18.642941+00:00 | Apache HTTPD Importer | Affected by | VCID-ssvj-7g27-1ug6 | https://httpd.apache.org/security/json/CVE-2012-4558.json | 38.0.0 |
| 2026-04-01T12:36:18.591442+00:00 | Apache HTTPD Importer | Affected by | VCID-n9e1-c2zs-zkdk | https://httpd.apache.org/security/json/CVE-2012-4557.json | 38.0.0 |
| 2026-04-01T12:36:18.501019+00:00 | Apache HTTPD Importer | Affected by | VCID-rhk3-ujc1-q7fj | https://httpd.apache.org/security/json/CVE-2012-3499.json | 38.0.0 |
| 2026-04-01T12:36:18.409149+00:00 | Apache HTTPD Importer | Affected by | VCID-6bez-sgg8-cbbq | https://httpd.apache.org/security/json/CVE-2012-2687.json | 38.0.0 |
| 2026-04-01T12:36:18.319004+00:00 | Apache HTTPD Importer | Affected by | VCID-ese4-47tg-efbw | https://httpd.apache.org/security/json/CVE-2012-0883.json | 38.0.0 |
| 2026-04-01T12:36:18.210053+00:00 | Apache HTTPD Importer | Affected by | VCID-d4rc-pnv5-6uc8 | https://httpd.apache.org/security/json/CVE-2012-0053.json | 38.0.0 |
| 2026-04-01T12:36:18.045186+00:00 | Apache HTTPD Importer | Affected by | VCID-ym93-sxb8-fkdm | https://httpd.apache.org/security/json/CVE-2012-0031.json | 38.0.0 |
| 2026-04-01T12:36:17.957161+00:00 | Apache HTTPD Importer | Affected by | VCID-53da-z9gn-n7f2 | https://httpd.apache.org/security/json/CVE-2012-0021.json | 38.0.0 |
| 2026-04-01T12:36:17.935146+00:00 | Apache HTTPD Importer | Affected by | VCID-gu44-7hkr-muae | https://httpd.apache.org/security/json/CVE-2011-4317.json | 38.0.0 |
| 2026-04-01T12:36:17.825485+00:00 | Apache HTTPD Importer | Affected by | VCID-5yez-d5nj-q7eq | https://httpd.apache.org/security/json/CVE-2011-3607.json | 38.0.0 |
| 2026-04-01T12:36:17.636721+00:00 | Apache HTTPD Importer | Affected by | VCID-prd8-51a5-pygj | https://httpd.apache.org/security/json/CVE-2011-3368.json | 38.0.0 |
| 2026-04-01T12:36:17.501716+00:00 | Apache HTTPD Importer | Affected by | VCID-6vze-zk58-7yep | https://httpd.apache.org/security/json/CVE-2011-3348.json | 38.0.0 |
| 2026-04-01T12:36:17.474045+00:00 | Apache HTTPD Importer | Fixing | VCID-kkfv-4jd1-bqdm | https://httpd.apache.org/security/json/CVE-2011-3192.json | 38.0.0 |