Search for packages
| purl | pkg:apache/httpd@2.4.16 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1189-ej89-hybs
Aliases: CVE-2017-3169 |
mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. |
Affected by 32 other vulnerabilities. |
|
VCID-17hy-4ppt-xyhw
Aliases: CVE-2021-26691 |
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted SessionHeader sent by an origin server could cause a heap overflow |
Affected by 5 other vulnerabilities. |
|
VCID-2nmh-7tfa-zyb2
Aliases: CVE-2016-0736 |
Prior to Apache HTTP release 2.4.25, mod_sessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC. An authentication tag (SipHash MAC) is now added to prevent such attacks. |
Affected by 36 other vulnerabilities. |
|
VCID-2xc4-7zg9-y7fw
Aliases: CVE-2016-5387 |
HTTP_PROXY is a well-defined environment variable in a CGI process, which collided with a number of libraries which failed to avoid colliding with this CGI namespace. A mitigation is provided for the httpd CGI environment to avoid populating the "HTTP_PROXY" variable from a "Proxy:" header, which has never been registered by IANA. This workaround and patch are documented in the ASF Advisory at asf-httpoxy-response.txt and incorporated in the 2.4.25 and 2.2.32 releases. Note: This is not assigned an httpd severity, as it is a defect in other software which overloaded well-established CGI environment variables, and does not reflect an error in HTTP server software. |
Affected by 36 other vulnerabilities. |
|
VCID-3djp-gq4c-1fa9
Aliases: CVE-2019-10092 |
A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malfomed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed. We have taken this opportunity to also remove request data from many other in-built error messages. Note however this issue did not affect them directly and their output was already escaped to prevent cross-site scripting attacks. |
Affected by 9 other vulnerabilities. |
|
VCID-5bej-9h7w-33c8
Aliases: CVE-2017-9798 |
When an unrecognized HTTP Method is given in an <Limit {method}> directive in an .htaccess file, and that .htaccess file is processed by the corresponding request, the global methods table is corrupted in the current worker process, resulting in erratic behaviour. This behavior may be avoided by listing all unusual HTTP Methods in a global httpd.conf RegisterHttpMethod directive in httpd release 2.4.25 and later. To permit other .htaccess directives while denying the <Limit > directive, see the AllowOverrideList directive. Source code patch (2.4) is at; CVE-2017-9798-patch-2.4.patch Source code patch (2.2) is at; CVE-2017-9798-patch-2.2.patch Note 2.2 is end-of-life, no further release with this fix is planned. Users are encouraged to migrate to 2.4.28 or later for this and other fixes. |
Affected by 29 other vulnerabilities. |
|
VCID-5xrt-1n1q-4bey
Aliases: CVE-2020-1927 |
In Apache HTTP Server versions 2.4.0 to 2.4.41 some mod_rewrite configurations vulnerable to open redirect. |
Affected by 0 other vulnerabilities. |
|
VCID-66k7-maf9-dfcd
Aliases: CVE-2020-35452 |
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow |
Affected by 5 other vulnerabilities. |
|
VCID-8gcm-7q3n-q7bm
Aliases: CVE-2016-4975 |
Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. |
Affected by 36 other vulnerabilities. |
|
VCID-91u7-vh6n-v7fm
Aliases: CVE-2020-13938 |
Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows |
Affected by 5 other vulnerabilities. |
|
VCID-9qdr-1v39-d7b7
Aliases: CVE-2018-1283 |
When mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications. The severity is set to Moderate because "SessionEnv on" is not a default nor common configuration, it should be considered more severe when this is the case though, because of the possible remote exploitation. |
Affected by 25 other vulnerabilities. |
|
VCID-auhk-ppv5-buaa
Aliases: CVE-2020-1934 |
in Apache HTTP Server versions 2.4.0 to 2.4.41, mod_proxy_ftp use of uninitialized value with malicious FTP backend. |
Affected by 0 other vulnerabilities. |
|
VCID-bvkg-nrwd-e7g8
Aliases: CVE-2021-26690 |
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service |
Affected by 5 other vulnerabilities. |
|
VCID-ct26-19cq-8kd7
Aliases: CVE-2018-17199 |
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. |
Affected by 22 other vulnerabilities. |
|
VCID-f2y3-s6j8-7ygr
Aliases: CVE-2019-17567 |
Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured. |
Affected by 5 other vulnerabilities. |
|
VCID-fqem-96w3-rucb
Aliases: CVE-2018-1312 |
When generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. |
Affected by 25 other vulnerabilities. |
|
VCID-fyrq-yg2u-jkc7
Aliases: CVE-2017-7679 |
mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. |
Affected by 32 other vulnerabilities. |
|
VCID-h6kk-81jx-h7b8
Aliases: CVE-2019-10098 |
Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. |
Affected by 9 other vulnerabilities. |
|
VCID-jt89-ruvk-1kbj
Aliases: CVE-2017-9788 |
The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault. |
Affected by 30 other vulnerabilities. |
|
VCID-jzuw-73df-mfff
Aliases: CVE-2018-1301 |
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.33, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage. |
Affected by 25 other vulnerabilities. |
|
VCID-pc2n-ga7g-byga
Aliases: CVE-2016-8743 |
Apache HTTP Server, prior to release 2.4.25 (and 2.2.32), accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines was treated as whitespace and remained in the request field member "the_request", while a bare CR in the request header field name would be honored as whitespace, and a bare CR in the request header field value was retained the input headers array. Implied additional whitespace was accepted in the request line and prior to the ':' delimiter of any request header lines. RFC7230 Section 3.5 calls out some of these whitespace exceptions, and section 3.2.3 eliminated and clarified the role of implied whitespace in the grammer of this specification. Section 3.1.1 requires exactly one single SP between the method and request-target, and between the request-target and HTTP-version, followed immediately by a CRLF sequence. None of these fields permit any (unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed any whitespace from the request header field prior to the ':' character, while Section 3.2 disallows all CTL characters in the request header line other than the HTAB character as whitespace. These defects represent a security concern when httpd is participating in any chain of proxies or interacting with back-end application servers, either through mod_proxy or using conventional CGI mechanisms. In each case where one agent accepts such CTL characters and does not treat them as whitespace, there is the possiblity in a proxy chain of generating two responses from a server behind the uncautious proxy agent. In a sequence of two requests, this results in request A to the first proxy being interpreted as requests A + A' by the backend server, and if requests A and B were submitted to the first proxy in a keepalive connection, the proxy may interpret response A' as the response to request B, polluting the cache or potentially serving the A' content to a different downstream user-agent. These defects are addressed with the release of Apache HTTP Server 2.4.25 and coordinated by a new directive; HttpProtocolOptions Strict which is the default behavior of 2.4.25 and later. By toggling from 'Strict' behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow some invalid HTTP/1.1 clients to communicate with the server, but this will reintroduce the possibility of the problems described in this assessment. Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs other than HTAB (where permitted), but will allow other RFC requirements to not be enforced, such as exactly two SP characters in the request line. |
Affected by 36 other vulnerabilities. |
|
VCID-q5wm-suxb-jfeb
Aliases: CVE-2017-15715 |
The expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename. |
Affected by 25 other vulnerabilities. |
|
VCID-qayj-kts9-3fde
Aliases: CVE-2017-3167 |
Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request. |
Affected by 32 other vulnerabilities. |
|
VCID-rfqy-e7pv-dyfy
Aliases: CVE-2016-2161 |
Malicious input to mod_auth_digest will cause the server to crash, and each instance continues to crash even for subsequently valid requests. |
Affected by 36 other vulnerabilities. |
|
VCID-scf1-zmu7-e3b2
Aliases: CVE-2018-1303 |
A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.33 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. |
Affected by 25 other vulnerabilities. |
|
VCID-uwqg-yytc-vfae
Aliases: CVE-2019-0220 |
When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. |
Affected by 16 other vulnerabilities. |
|
VCID-w6p6-u8ku-k3f6
Aliases: CVE-2019-0217 |
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. |
Affected by 16 other vulnerabilities. |
|
VCID-wgte-97r1-j7a9
Aliases: CVE-2020-11985 |
For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020. |
Affected by 36 other vulnerabilities. |
|
VCID-zc2p-sfu7-jkhc
Aliases: CVE-2017-15710 |
mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all. |
Affected by 25 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-3wuk-hwg1-6fa6 | A design error in the "ap_some_auth_required" function renders the API unusuable in httpd 2.4.x. In particular the API is documented to answering if the request required authentication but only answers if there are Require lines in the applicable configuration. Since 2.4.x Require lines are used for authorization as well and can appear in configurations even when no authentication is required and the request is entirely unrestricted. This could lead to modules using this API to allow access when they should otherwise not do so. API users should use the new ap_some_authn_required API added in 2.4.16 instead. |
CVE-2015-3185
|
| VCID-gqat-458a-67g2 | A stack recursion crash in the mod_lua module was found. A Lua script executing the r:wsupgrade() function could crash the process if a malicious client sent a carefully crafted PING request. This issue affected releases 2.4.7 through 2.4.12 inclusive. |
CVE-2015-0228
|
| VCID-k4kb-21tp-4kc8 | An HTTP request smuggling attack was possible due to a bug in parsing of chunked requests. A malicious client could force the server to misinterpret the request length, allowing cache poisoning or credential hijacking if an intermediary proxy is in use. |
CVE-2015-3183
|
| VCID-tcmz-a5dq-d7cj | A crash in ErrorDocument handling was found. If ErrorDocument 400 was configured pointing to a local URL-path with the INCLUDES filter active, a NULL dereference would occur when handling the error, causing the child process to crash. This issue affected the 2.4.12 release only. |
CVE-2015-0253
|
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:36:23.043741+00:00 | Apache HTTPD Importer | Affected by | VCID-17hy-4ppt-xyhw | https://httpd.apache.org/security/json/CVE-2021-26691.json | 38.0.0 |
| 2026-04-01T12:36:22.977975+00:00 | Apache HTTPD Importer | Affected by | VCID-bvkg-nrwd-e7g8 | https://httpd.apache.org/security/json/CVE-2021-26690.json | 38.0.0 |
| 2026-04-01T12:36:22.908786+00:00 | Apache HTTPD Importer | Affected by | VCID-66k7-maf9-dfcd | https://httpd.apache.org/security/json/CVE-2020-35452.json | 38.0.0 |
| 2026-04-01T12:36:22.827840+00:00 | Apache HTTPD Importer | Affected by | VCID-91u7-vh6n-v7fm | https://httpd.apache.org/security/json/CVE-2020-13938.json | 38.0.0 |
| 2026-04-01T12:36:22.753591+00:00 | Apache HTTPD Importer | Affected by | VCID-wgte-97r1-j7a9 | https://httpd.apache.org/security/json/CVE-2020-11985.json | 38.0.0 |
| 2026-04-01T12:36:22.630735+00:00 | Apache HTTPD Importer | Affected by | VCID-auhk-ppv5-buaa | https://httpd.apache.org/security/json/CVE-2020-1934.json | 38.0.0 |
| 2026-04-01T12:36:22.559599+00:00 | Apache HTTPD Importer | Affected by | VCID-5xrt-1n1q-4bey | https://httpd.apache.org/security/json/CVE-2020-1927.json | 38.0.0 |
| 2026-04-01T12:36:22.493866+00:00 | Apache HTTPD Importer | Affected by | VCID-f2y3-s6j8-7ygr | https://httpd.apache.org/security/json/CVE-2019-17567.json | 38.0.0 |
| 2026-04-01T12:36:22.438505+00:00 | Apache HTTPD Importer | Affected by | VCID-h6kk-81jx-h7b8 | https://httpd.apache.org/security/json/CVE-2019-10098.json | 38.0.0 |
| 2026-04-01T12:36:22.351985+00:00 | Apache HTTPD Importer | Affected by | VCID-3djp-gq4c-1fa9 | https://httpd.apache.org/security/json/CVE-2019-10092.json | 38.0.0 |
| 2026-04-01T12:36:22.169596+00:00 | Apache HTTPD Importer | Affected by | VCID-uwqg-yytc-vfae | https://httpd.apache.org/security/json/CVE-2019-0220.json | 38.0.0 |
| 2026-04-01T12:36:22.109245+00:00 | Apache HTTPD Importer | Affected by | VCID-w6p6-u8ku-k3f6 | https://httpd.apache.org/security/json/CVE-2019-0217.json | 38.0.0 |
| 2026-04-01T12:36:21.919184+00:00 | Apache HTTPD Importer | Affected by | VCID-ct26-19cq-8kd7 | https://httpd.apache.org/security/json/CVE-2018-17199.json | 38.0.0 |
| 2026-04-01T12:36:21.755549+00:00 | Apache HTTPD Importer | Affected by | VCID-fqem-96w3-rucb | https://httpd.apache.org/security/json/CVE-2018-1312.json | 38.0.0 |
| 2026-04-01T12:36:21.710206+00:00 | Apache HTTPD Importer | Affected by | VCID-scf1-zmu7-e3b2 | https://httpd.apache.org/security/json/CVE-2018-1303.json | 38.0.0 |
| 2026-04-01T12:36:21.641171+00:00 | Apache HTTPD Importer | Affected by | VCID-jzuw-73df-mfff | https://httpd.apache.org/security/json/CVE-2018-1301.json | 38.0.0 |
| 2026-04-01T12:36:21.579028+00:00 | Apache HTTPD Importer | Affected by | VCID-9qdr-1v39-d7b7 | https://httpd.apache.org/security/json/CVE-2018-1283.json | 38.0.0 |
| 2026-04-01T12:36:21.526339+00:00 | Apache HTTPD Importer | Affected by | VCID-q5wm-suxb-jfeb | https://httpd.apache.org/security/json/CVE-2017-15715.json | 38.0.0 |
| 2026-04-01T12:36:21.480274+00:00 | Apache HTTPD Importer | Affected by | VCID-zc2p-sfu7-jkhc | https://httpd.apache.org/security/json/CVE-2017-15710.json | 38.0.0 |
| 2026-04-01T12:36:21.436497+00:00 | Apache HTTPD Importer | Affected by | VCID-5bej-9h7w-33c8 | https://httpd.apache.org/security/json/CVE-2017-9798.json | 38.0.0 |
| 2026-04-01T12:36:21.258385+00:00 | Apache HTTPD Importer | Affected by | VCID-jt89-ruvk-1kbj | https://httpd.apache.org/security/json/CVE-2017-9788.json | 38.0.0 |
| 2026-04-01T12:36:21.095575+00:00 | Apache HTTPD Importer | Affected by | VCID-fyrq-yg2u-jkc7 | https://httpd.apache.org/security/json/CVE-2017-7679.json | 38.0.0 |
| 2026-04-01T12:36:20.887024+00:00 | Apache HTTPD Importer | Affected by | VCID-1189-ej89-hybs | https://httpd.apache.org/security/json/CVE-2017-3169.json | 38.0.0 |
| 2026-04-01T12:36:20.724205+00:00 | Apache HTTPD Importer | Affected by | VCID-qayj-kts9-3fde | https://httpd.apache.org/security/json/CVE-2017-3167.json | 38.0.0 |
| 2026-04-01T12:36:20.579874+00:00 | Apache HTTPD Importer | Affected by | VCID-pc2n-ga7g-byga | https://httpd.apache.org/security/json/CVE-2016-8743.json | 38.0.0 |
| 2026-04-01T12:36:20.410141+00:00 | Apache HTTPD Importer | Affected by | VCID-2xc4-7zg9-y7fw | https://httpd.apache.org/security/json/CVE-2016-5387.json | 38.0.0 |
| 2026-04-01T12:36:20.241080+00:00 | Apache HTTPD Importer | Affected by | VCID-8gcm-7q3n-q7bm | https://httpd.apache.org/security/json/CVE-2016-4975.json | 38.0.0 |
| 2026-04-01T12:36:20.151629+00:00 | Apache HTTPD Importer | Affected by | VCID-rfqy-e7pv-dyfy | https://httpd.apache.org/security/json/CVE-2016-2161.json | 38.0.0 |
| 2026-04-01T12:36:20.101280+00:00 | Apache HTTPD Importer | Affected by | VCID-2nmh-7tfa-zyb2 | https://httpd.apache.org/security/json/CVE-2016-0736.json | 38.0.0 |
| 2026-04-01T12:36:20.073270+00:00 | Apache HTTPD Importer | Fixing | VCID-3wuk-hwg1-6fa6 | https://httpd.apache.org/security/json/CVE-2015-3185.json | 38.0.0 |
| 2026-04-01T12:36:20.039106+00:00 | Apache HTTPD Importer | Fixing | VCID-k4kb-21tp-4kc8 | https://httpd.apache.org/security/json/CVE-2015-3183.json | 38.0.0 |
| 2026-04-01T12:36:19.904442+00:00 | Apache HTTPD Importer | Fixing | VCID-tcmz-a5dq-d7cj | https://httpd.apache.org/security/json/CVE-2015-0253.json | 38.0.0 |
| 2026-04-01T12:36:19.889554+00:00 | Apache HTTPD Importer | Fixing | VCID-gqat-458a-67g2 | https://httpd.apache.org/security/json/CVE-2015-0228.json | 38.0.0 |