VulnerableCode Package Details - pkg:ebuild/www-servers/apache@2.4.62

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2e6w-fs4j-17g9	HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.	CVE-2024-27316
VCID-4jfa-3r1g-m7h8	SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue.	CVE-2024-40898
VCID-6tgh-b4td-63f5	Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.	CVE-2024-39573
VCID-8edq-8rvq-rkf1		CVE-2024-38475
VCID-8nw9-zpxn-ckab	Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.	CVE-2024-38476
VCID-bau7-pme5-ckbt	HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.	CVE-2024-24795
VCID-ej7y-7na3-5qby	Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.	CVE-2024-38474
VCID-ftjw-9fb6-d3cw	Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.	CVE-2024-38473
VCID-nbar-1p1f-bqfk	SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.	CVE-2024-38472
VCID-pjxs-hnjr-duey	null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.	CVE-2024-38477
VCID-pz6f-mahv-hue8	A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.	CVE-2024-39884
VCID-qjeh-n57t-y7g5	A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue.	CVE-2024-40725
VCID-r2pc-wuzb-h7hk	Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.	CVE-2024-36387
VCID-xhyc-9rpu-2bc8	Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.	CVE-2023-38709

Vulnerability

Summary

Aliases

VCID-2e6w-fs4j-17g9

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

CVE-2024-27316

VCID-4jfa-3r1g-m7h8

SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue.

CVE-2024-40898

VCID-6tgh-b4td-63f5

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

CVE-2024-39573

VCID-8edq-8rvq-rkf1

CVE-2024-38475

VCID-8nw9-zpxn-ckab

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

CVE-2024-38476

VCID-bau7-pme5-ckbt

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue.

CVE-2024-24795

VCID-ej7y-7na3-5qby

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

CVE-2024-38474

VCID-ftjw-9fb6-d3cw

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

CVE-2024-38473

VCID-nbar-1p1f-bqfk

SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.

CVE-2024-38472

VCID-pjxs-hnjr-duey

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

CVE-2024-38477

VCID-pz6f-mahv-hue8

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.

CVE-2024-39884

VCID-qjeh-n57t-y7g5

A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue.

CVE-2024-40725

VCID-r2pc-wuzb-h7hk

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.

CVE-2024-36387

VCID-xhyc-9rpu-2bc8

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58.

CVE-2023-38709

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:02:25.637772+00:00	Gentoo Importer	Fixing	VCID-4jfa-3r1g-m7h8	https://security.gentoo.org/glsa/202409-31	38.0.0
2026-04-01T13:02:25.628105+00:00	Gentoo Importer	Fixing	VCID-qjeh-n57t-y7g5	https://security.gentoo.org/glsa/202409-31	38.0.0
2026-04-01T13:02:25.618952+00:00	Gentoo Importer	Fixing	VCID-pz6f-mahv-hue8	https://security.gentoo.org/glsa/202409-31	38.0.0
2026-04-01T13:02:25.608865+00:00	Gentoo Importer	Fixing	VCID-6tgh-b4td-63f5	https://security.gentoo.org/glsa/202409-31	38.0.0
2026-04-01T13:02:25.598862+00:00	Gentoo Importer	Fixing	VCID-pjxs-hnjr-duey	https://security.gentoo.org/glsa/202409-31	38.0.0
2026-04-01T13:02:25.589839+00:00	Gentoo Importer	Fixing	VCID-8nw9-zpxn-ckab	https://security.gentoo.org/glsa/202409-31	38.0.0
2026-04-01T13:02:25.580525+00:00	Gentoo Importer	Fixing	VCID-8edq-8rvq-rkf1	https://security.gentoo.org/glsa/202409-31	38.0.0
2026-04-01T13:02:25.570975+00:00	Gentoo Importer	Fixing	VCID-ej7y-7na3-5qby	https://security.gentoo.org/glsa/202409-31	38.0.0
2026-04-01T13:02:25.561453+00:00	Gentoo Importer	Fixing	VCID-ftjw-9fb6-d3cw	https://security.gentoo.org/glsa/202409-31	38.0.0
2026-04-01T13:02:25.552660+00:00	Gentoo Importer	Fixing	VCID-nbar-1p1f-bqfk	https://security.gentoo.org/glsa/202409-31	38.0.0
2026-04-01T13:02:25.542749+00:00	Gentoo Importer	Fixing	VCID-r2pc-wuzb-h7hk	https://security.gentoo.org/glsa/202409-31	38.0.0
2026-04-01T13:02:25.532508+00:00	Gentoo Importer	Fixing	VCID-2e6w-fs4j-17g9	https://security.gentoo.org/glsa/202409-31	38.0.0
2026-04-01T13:02:25.523807+00:00	Gentoo Importer	Fixing	VCID-bau7-pme5-ckbt	https://security.gentoo.org/glsa/202409-31	38.0.0
2026-04-01T13:02:25.511254+00:00	Gentoo Importer	Fixing	VCID-xhyc-9rpu-2bc8	https://security.gentoo.org/glsa/202409-31	38.0.0