Search for packages
| purl | pkg:apache/httpd@2.4.30 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3djp-gq4c-1fa9
Aliases: CVE-2019-10092 |
A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malfomed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed. We have taken this opportunity to also remove request data from many other in-built error messages. Note however this issue did not affect them directly and their output was already escaped to prevent cross-site scripting attacks. |
Affected by 9 other vulnerabilities. |
|
VCID-5xrt-1n1q-4bey
Aliases: CVE-2020-1927 |
In Apache HTTP Server versions 2.4.0 to 2.4.41 some mod_rewrite configurations vulnerable to open redirect. |
Affected by 0 other vulnerabilities. |
|
VCID-6vxq-uxxw-ybeh
Aliases: CVE-2019-0196 |
Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly. |
Affected by 16 other vulnerabilities. |
|
VCID-7u2r-egf2-vfhx
Aliases: CVE-2018-17189 |
By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. |
Affected by 22 other vulnerabilities. |
|
VCID-auhk-ppv5-buaa
Aliases: CVE-2020-1934 |
in Apache HTTP Server versions 2.4.0 to 2.4.41, mod_proxy_ftp use of uninitialized value with malicious FTP backend. |
Affected by 0 other vulnerabilities. |
|
VCID-ct26-19cq-8kd7
Aliases: CVE-2018-17199 |
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. |
Affected by 22 other vulnerabilities. |
|
VCID-e3jc-83a7-8uhh
Aliases: CVE-2018-11763 |
By sending continous SETTINGS frames of maximum size an ongoing HTTP/2 connection could be kept busy and would never time out. This can be abused for a DoS on the server. This only affect a server that has enabled the h2 protocol. |
Affected by 23 other vulnerabilities. |
|
VCID-eesz-v6ae-gya3
Aliases: CVE-2020-9490 |
In Apache HTTP Server versions 2.4.20 to 2.4.43, a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers. |
Affected by 0 other vulnerabilities. |
|
VCID-ehv1-yvpu-ubcg
Aliases: CVE-2019-0211 |
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected. |
Affected by 16 other vulnerabilities. |
|
VCID-h6kk-81jx-h7b8
Aliases: CVE-2019-10098 |
Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. |
Affected by 9 other vulnerabilities. |
|
VCID-rdtq-8ng5-53fn
Aliases: CVE-2021-36160 |
A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). |
Affected by 3 other vulnerabilities. |
|
VCID-uwqg-yytc-vfae
Aliases: CVE-2019-0220 |
When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. |
Affected by 16 other vulnerabilities. |
|
VCID-w6p6-u8ku-k3f6
Aliases: CVE-2019-0217 |
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. |
Affected by 16 other vulnerabilities. |
|
VCID-yz3c-arnr-y3cs
Aliases: CVE-2020-11993 |
In Apache HTTP Server versions 2.4.20 to 2.4.43, when trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:36:23.156943+00:00 | Apache HTTPD Importer | Affected by | VCID-rdtq-8ng5-53fn | https://httpd.apache.org/security/json/CVE-2021-36160.json | 38.0.0 |
| 2026-04-01T12:36:22.784866+00:00 | Apache HTTPD Importer | Affected by | VCID-yz3c-arnr-y3cs | https://httpd.apache.org/security/json/CVE-2020-11993.json | 38.0.0 |
| 2026-04-01T12:36:22.691943+00:00 | Apache HTTPD Importer | Affected by | VCID-eesz-v6ae-gya3 | https://httpd.apache.org/security/json/CVE-2020-9490.json | 38.0.0 |
| 2026-04-01T12:36:22.648833+00:00 | Apache HTTPD Importer | Affected by | VCID-auhk-ppv5-buaa | https://httpd.apache.org/security/json/CVE-2020-1934.json | 38.0.0 |
| 2026-04-01T12:36:22.578199+00:00 | Apache HTTPD Importer | Affected by | VCID-5xrt-1n1q-4bey | https://httpd.apache.org/security/json/CVE-2020-1927.json | 38.0.0 |
| 2026-04-01T12:36:22.458212+00:00 | Apache HTTPD Importer | Affected by | VCID-h6kk-81jx-h7b8 | https://httpd.apache.org/security/json/CVE-2019-10098.json | 38.0.0 |
| 2026-04-01T12:36:22.370961+00:00 | Apache HTTPD Importer | Affected by | VCID-3djp-gq4c-1fa9 | https://httpd.apache.org/security/json/CVE-2019-10092.json | 38.0.0 |
| 2026-04-01T12:36:22.186586+00:00 | Apache HTTPD Importer | Affected by | VCID-uwqg-yytc-vfae | https://httpd.apache.org/security/json/CVE-2019-0220.json | 38.0.0 |
| 2026-04-01T12:36:22.127347+00:00 | Apache HTTPD Importer | Affected by | VCID-w6p6-u8ku-k3f6 | https://httpd.apache.org/security/json/CVE-2019-0217.json | 38.0.0 |
| 2026-04-01T12:36:22.050079+00:00 | Apache HTTPD Importer | Affected by | VCID-ehv1-yvpu-ubcg | https://httpd.apache.org/security/json/CVE-2019-0211.json | 38.0.0 |
| 2026-04-01T12:36:21.990768+00:00 | Apache HTTPD Importer | Affected by | VCID-6vxq-uxxw-ybeh | https://httpd.apache.org/security/json/CVE-2019-0196.json | 38.0.0 |
| 2026-04-01T12:36:21.936837+00:00 | Apache HTTPD Importer | Affected by | VCID-ct26-19cq-8kd7 | https://httpd.apache.org/security/json/CVE-2018-17199.json | 38.0.0 |
| 2026-04-01T12:36:21.880007+00:00 | Apache HTTPD Importer | Affected by | VCID-7u2r-egf2-vfhx | https://httpd.apache.org/security/json/CVE-2018-17189.json | 38.0.0 |
| 2026-04-01T12:36:21.841969+00:00 | Apache HTTPD Importer | Affected by | VCID-e3jc-83a7-8uhh | https://httpd.apache.org/security/json/CVE-2018-11763.json | 38.0.0 |