VulnerableCode Package Details - pkg:ebuild/www-servers/apache@2.4.46

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-eesz-v6ae-gya3	In Apache HTTP Server versions 2.4.20 to 2.4.43, a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.	CVE-2020-9490
VCID-t67v-c4gx-ukbj	In Apache HTTP Server versions 2.4.32 to 2.4.43, mod_proxy_uwsgi has a information disclosure and possible RCE	CVE-2020-11984
VCID-wgte-97r1-j7a9	For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020.	CVE-2020-11985
VCID-yz3c-arnr-y3cs	In Apache HTTP Server versions 2.4.20 to 2.4.43, when trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.	CVE-2020-11993

Vulnerability

Summary

Aliases

VCID-eesz-v6ae-gya3

In Apache HTTP Server versions 2.4.20 to 2.4.43, a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.

CVE-2020-9490

VCID-t67v-c4gx-ukbj

In Apache HTTP Server versions 2.4.32 to 2.4.43, mod_proxy_uwsgi has a information disclosure and possible RCE

CVE-2020-11984

VCID-wgte-97r1-j7a9

For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020.

CVE-2020-11985

VCID-yz3c-arnr-y3cs

In Apache HTTP Server versions 2.4.20 to 2.4.43, when trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

CVE-2020-11993

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:03:37.682616+00:00	Gentoo Importer	Fixing	VCID-eesz-v6ae-gya3	https://security.gentoo.org/glsa/202008-04	38.0.0
2026-04-01T13:03:37.671383+00:00	Gentoo Importer	Fixing	VCID-yz3c-arnr-y3cs	https://security.gentoo.org/glsa/202008-04	38.0.0
2026-04-01T13:03:37.663225+00:00	Gentoo Importer	Fixing	VCID-wgte-97r1-j7a9	https://security.gentoo.org/glsa/202008-04	38.0.0
2026-04-01T13:03:37.653967+00:00	Gentoo Importer	Fixing	VCID-t67v-c4gx-ukbj	https://security.gentoo.org/glsa/202008-04	38.0.0