Search for packages
| purl | pkg:apache/httpd@2.2.24 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1189-ej89-hybs
Aliases: CVE-2017-3169 |
mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. |
Affected by 1 other vulnerability. Affected by 32 other vulnerabilities. |
|
VCID-1d24-sy5z-jfhh
Aliases: CVE-2013-5704 |
HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. This fix adds the "MergeTrailers" directive to restore legacy behavior. |
Affected by 9 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-1zk6-7wv2-ukcz
Aliases: CVE-2014-0118 |
A resource consumption flaw was found in mod_deflate. If request body decompression was configured (using the "DEFLATE" input filter), a remote attacker could cause the server to consume significant memory and/or CPU resources. The use of request body decompression is not a common configuration. |
Affected by 9 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-2xc4-7zg9-y7fw
Aliases: CVE-2016-5387 |
HTTP_PROXY is a well-defined environment variable in a CGI process, which collided with a number of libraries which failed to avoid colliding with this CGI namespace. A mitigation is provided for the httpd CGI environment to avoid populating the "HTTP_PROXY" variable from a "Proxy:" header, which has never been registered by IANA. This workaround and patch are documented in the ASF Advisory at asf-httpoxy-response.txt and incorporated in the 2.4.25 and 2.2.32 releases. Note: This is not assigned an httpd severity, as it is a defect in other software which overloaded well-established CGI environment variables, and does not reflect an error in HTTP server software. |
Affected by 6 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-5bej-9h7w-33c8
Aliases: CVE-2017-9798 |
When an unrecognized HTTP Method is given in an <Limit {method}> directive in an .htaccess file, and that .htaccess file is processed by the corresponding request, the global methods table is corrupted in the current worker process, resulting in erratic behaviour. This behavior may be avoided by listing all unusual HTTP Methods in a global httpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and later. To permit other .htaccess directives while denying the <Limit > directive, see the AllowOverrideList directive. Source code patch (2.4) is at; CVE-2017-9798-patch-2.4.patch Source code patch (2.2) is at; CVE-2017-9798-patch-2.2.patch Note 2.2 is end-of-life, no further release with this fix is planned. Users are encouraged to migrate to 2.4.28 or later for this and other fixes. |
Affected by 29 other vulnerabilities. |
|
VCID-6pzx-1e5t-xbes
Aliases: CVE-2013-6438 |
XML parsing code in mod_dav incorrectly calculates the end of the string when removing leading spaces and places a NUL character outside the buffer, causing random crashes. This XML parsing code is only used with DAV provider modules that support DeltaV, of which the only publicly released provider is mod_dav_svn. |
Affected by 13 other vulnerabilities. Affected by 40 other vulnerabilities. |
|
VCID-8gcm-7q3n-q7bm
Aliases: CVE-2016-4975 |
Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. |
Affected by 6 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-fyrq-yg2u-jkc7
Aliases: CVE-2017-7679 |
mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. |
Affected by 1 other vulnerability. Affected by 32 other vulnerabilities. |
|
VCID-jt89-ruvk-1kbj
Aliases: CVE-2017-9788 |
The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault. |
Affected by 1 other vulnerability. Affected by 30 other vulnerabilities. |
|
VCID-k4kb-21tp-4kc8
Aliases: CVE-2015-3183 |
An HTTP request smuggling attack was possible due to a bug in parsing of chunked requests. A malicious client could force the server to misinterpret the request length, allowing cache poisoning or credential hijacking if an intermediary proxy is in use. |
Affected by 8 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-ke1s-451y-p3cz
Aliases: CVE-2014-0098 |
A flaw was found in mod_log_config. A remote attacker could send a specific truncated cookie causing a crash. This crash would only be a denial of service if using a threaded MPM. |
Affected by 13 other vulnerabilities. Affected by 40 other vulnerabilities. |
|
VCID-kpew-rarv-83dg
Aliases: CVE-2014-0231 |
A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI scripts which did not consume standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service. |
Affected by 9 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-pc2n-ga7g-byga
Aliases: CVE-2016-8743 |
Apache HTTP Server, prior to release 2.4.25 (and 2.2.32), accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines was treated as whitespace and remained in the request field member "the_request", while a bare CR in the request header field name would be honored as whitespace, and a bare CR in the request header field value was retained the input headers array. Implied additional whitespace was accepted in the request line and prior to the ':' delimiter of any request header lines. RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section 3.2.3 eliminated and clarified the role of implied whitespace in the grammer of this specification. Section 3.1.1 requires exactly one single SP between the method and request-target, and between the request-target and HTTP-version, followed immediately by a CRLF sequence. None of these fields permit any (unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed any whitespace from the request header field prior to the ':' character, while Section 3.2 disallows all CTL characters in the request header line other than the HTAB character as whitespace. These defects represent a security concern when httpd is participating in any chain of proxies or interacting with back-end application servers, either through mod_proxy or using conventional CGI mechanisms. In each case where one agent accepts such CTL characters and does not treat them as whitespace, there is the possiblity in a proxy chain of generating two responses from a server behind the uncautious proxy agent. In a sequence of two requests, this results in request A to the first proxy being interpreted as requests A + A' by the backend server, and if requests A and B were submitted to the first proxy in a keepalive connection, the proxy may interpret response A' as the response to request B, polluting the cache or potentially serving the A' content to a different downstream user-agent. These defects are addressed with the release of Apache HTTP Server 2.4.25 and coordinated by a new directive; HttpProtocolOptions Strict which is the default behavior of 2.4.25 and later. By toggling from 'Strict' behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow some invalid HTTP/1.1 clients to communicate with the server, but this will reintroduce the possibility of the problems described in this assessment. Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs other than HTAB (where permitted), but will allow other RFC requirements to not be enforced, such as exactly two SP characters in the request line. |
Affected by 6 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-qayj-kts9-3fde
Aliases: CVE-2017-3167 |
Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request. |
Affected by 1 other vulnerability. Affected by 32 other vulnerabilities. |
|
VCID-tbud-pwyt-aye9
Aliases: CVE-2014-0226 |
A race condition was found in mod_status. An attacker able to access a public server status page on a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a default or recommended configuration to have a public accessible server status page. |
Affected by 9 other vulnerabilities. Affected by 36 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-rhk3-ujc1-q7fj | Various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. |
CVE-2012-3499
|
| VCID-ssvj-7g27-1ug6 | A XSS flaw affected the mod_proxy_balancer manager interface. |
CVE-2012-4558
|
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:36:21.405700+00:00 | Apache HTTPD Importer | Affected by | VCID-5bej-9h7w-33c8 | https://httpd.apache.org/security/json/CVE-2017-9798.json | 38.0.0 |
| 2026-04-01T12:36:21.230687+00:00 | Apache HTTPD Importer | Affected by | VCID-jt89-ruvk-1kbj | https://httpd.apache.org/security/json/CVE-2017-9788.json | 38.0.0 |
| 2026-04-01T12:36:21.064199+00:00 | Apache HTTPD Importer | Affected by | VCID-fyrq-yg2u-jkc7 | https://httpd.apache.org/security/json/CVE-2017-7679.json | 38.0.0 |
| 2026-04-01T12:36:20.857639+00:00 | Apache HTTPD Importer | Affected by | VCID-1189-ej89-hybs | https://httpd.apache.org/security/json/CVE-2017-3169.json | 38.0.0 |
| 2026-04-01T12:36:20.697227+00:00 | Apache HTTPD Importer | Affected by | VCID-qayj-kts9-3fde | https://httpd.apache.org/security/json/CVE-2017-3167.json | 38.0.0 |
| 2026-04-01T12:36:20.553750+00:00 | Apache HTTPD Importer | Affected by | VCID-pc2n-ga7g-byga | https://httpd.apache.org/security/json/CVE-2016-8743.json | 38.0.0 |
| 2026-04-01T12:36:20.383969+00:00 | Apache HTTPD Importer | Affected by | VCID-2xc4-7zg9-y7fw | https://httpd.apache.org/security/json/CVE-2016-5387.json | 38.0.0 |
| 2026-04-01T12:36:20.211605+00:00 | Apache HTTPD Importer | Affected by | VCID-8gcm-7q3n-q7bm | https://httpd.apache.org/security/json/CVE-2016-4975.json | 38.0.0 |
| 2026-04-01T12:36:19.960290+00:00 | Apache HTTPD Importer | Affected by | VCID-k4kb-21tp-4kc8 | https://httpd.apache.org/security/json/CVE-2015-3183.json | 38.0.0 |
| 2026-04-01T12:36:19.698865+00:00 | Apache HTTPD Importer | Affected by | VCID-kpew-rarv-83dg | https://httpd.apache.org/security/json/CVE-2014-0231.json | 38.0.0 |
| 2026-04-01T12:36:19.572894+00:00 | Apache HTTPD Importer | Affected by | VCID-tbud-pwyt-aye9 | https://httpd.apache.org/security/json/CVE-2014-0226.json | 38.0.0 |
| 2026-04-01T12:36:19.451255+00:00 | Apache HTTPD Importer | Affected by | VCID-1zk6-7wv2-ukcz | https://httpd.apache.org/security/json/CVE-2014-0118.json | 38.0.0 |
| 2026-04-01T12:36:19.313362+00:00 | Apache HTTPD Importer | Affected by | VCID-ke1s-451y-p3cz | https://httpd.apache.org/security/json/CVE-2014-0098.json | 38.0.0 |
| 2026-04-01T12:36:19.193575+00:00 | Apache HTTPD Importer | Affected by | VCID-6pzx-1e5t-xbes | https://httpd.apache.org/security/json/CVE-2013-6438.json | 38.0.0 |
| 2026-04-01T12:36:19.036762+00:00 | Apache HTTPD Importer | Affected by | VCID-1d24-sy5z-jfhh | https://httpd.apache.org/security/json/CVE-2013-5704.json | 38.0.0 |
| 2026-04-01T12:36:18.654953+00:00 | Apache HTTPD Importer | Fixing | VCID-ssvj-7g27-1ug6 | https://httpd.apache.org/security/json/CVE-2012-4558.json | 38.0.0 |
| 2026-04-01T12:36:18.514104+00:00 | Apache HTTPD Importer | Fixing | VCID-rhk3-ujc1-q7fj | https://httpd.apache.org/security/json/CVE-2012-3499.json | 38.0.0 |