VulnerableCode Package Details - pkg:rpm/redhat/httpd@2.4.6-93?arch=el7

Search for packages

Vulnerability	Summary	Fixed by
VCID-ct26-19cq-8kd7 Aliases: CVE-2018-17199	In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.	There are no reported fixed by versions.
VCID-jzuw-73df-mfff Aliases: CVE-2018-1301	A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.33, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.	There are no reported fixed by versions.
VCID-zc2p-sfu7-jkhc Aliases: CVE-2017-15710	mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-ct26-19cq-8kd7
Aliases:
CVE-2018-17199

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.

There are no reported fixed by versions.

VCID-jzuw-73df-mfff
Aliases:
CVE-2018-1301

A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.33, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.

There are no reported fixed by versions.

VCID-zc2p-sfu7-jkhc
Aliases:
CVE-2017-15710

mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:25:45.047849+00:00	RedHat Importer	Affected by	VCID-jzuw-73df-mfff	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1301.json	38.0.0
2026-04-01T14:25:40.697167+00:00	RedHat Importer	Affected by	VCID-zc2p-sfu7-jkhc	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-15710.json	38.0.0
2026-04-01T14:21:04.026140+00:00	RedHat Importer	Affected by	VCID-ct26-19cq-8kd7	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-17199.json	38.0.0