{"url":"http://public2.vulnerablecode.io/api/packages/582509?format=json","purl":"pkg:deb/debian/apache2@2.4.25-1?distro=trixie","type":"deb","namespace":"debian","name":"apache2","version":"2.4.25-1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"2.4.25-4","latest_non_vulnerable_version":"2.4.66-8","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3760?format=json","vulnerability_id":"VCID-2nmh-7tfa-zyb2","summary":"Prior to Apache HTTP release 2.4.25, mod_sessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC. An authentication tag (SipHash MAC) is now added to prevent such attacks.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-0736.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-0736.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-0736","reference_id":"","reference_type":"","scores":[{"value":"0.4168","scoring_system":"epss","scoring_elements":"0.97392","published_at":"2026-04-01T12:55:00Z"},{"value":"0.4168","scoring_system":"epss","scoring_elements":"0.97418","published_at":"2026-04-13T12:55:00Z"},{"value":"0.4168","scoring_system":"epss","scoring_elements":"0.97416","published_at":"2026-04-11T12:55:00Z"},{"value":"0.4168","scoring_system":"epss","scoring_elements":"0.97417","published_at":"2026-04-12T12:55:00Z"},{"value":"0.4168","scoring_system":"epss","scoring_elements":"0.97399","published_at":"2026-04-02T12:55:00Z"},{"value":"0.4168","scoring_system":"epss","scoring_elements":"0.97403","published_at":"2026-04-04T12:55:00Z"},{"value":"0.4168","scoring_system":"epss","scoring_elements":"0.97406","published_at":"2026-04-07T12:55:00Z"},{"value":"0.4168","scoring_system":"epss","scoring_elements":"0.97413","published_at":"2026-04-08T12:55:00Z"},{"value":"0.4168","scoring_system":"epss","scoring_elements":"0.97414","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-0736"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:H/Au:N/C:P/I:P/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1406744","reference_id":"1406744","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1406744"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/40961.py","reference_id":"CVE-2016-0736","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/40961.py"},{"reference_url":"https://httpd.apache.org/security/json/CVE-2016-0736.json","reference_id":"CVE-2016-0736","reference_type":"","scores":[{"value":"low","scoring_system":"apache_httpd","scoring_elements":""}],"url":"https://httpd.apache.org/security/json/CVE-2016-0736.json"},{"reference_url":"https://www.redteam-pentesting.de/advisories/rt-sa-2016-001.txt","reference_id":"CVE-2016-0736","reference_type":"exploit","scores":[],"url":"https://www.redteam-pentesting.de/advisories/rt-sa-2016-001.txt"},{"reference_url":"https://security.gentoo.org/glsa/201701-36","reference_id":"GLSA-201701-36","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201701-36"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:0906","reference_id":"RHSA-2017:0906","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:0906"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1161","reference_id":"RHSA-2017:1161","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1161"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1413","reference_id":"RHSA-2017:1413","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1413"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1414","reference_id":"RHSA-2017:1414","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1414"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1415","reference_id":"RHSA-2017:1415","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1415"},{"reference_url":"https://usn.ubuntu.com/3279-1/","reference_id":"USN-3279-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3279-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/582509?format=json","purl":"pkg:deb/debian/apache2@2.4.25-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.25-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582274?format=json","purl":"pkg:deb/debian/apache2@2.4.62-1~deb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.62-1~deb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582275?format=json","purl":"pkg:deb/debian/apache2@2.4.66-1~deb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-1~deb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582276?format=json","purl":"pkg:deb/debian/apache2@2.4.66-1~deb13u2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-1~deb13u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582277?format=json","purl":"pkg:deb/debian/apache2@2.4.66-8?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-8%3Fdistro=trixie"}],"aliases":["CVE-2016-0736"],"risk_score":9.8,"exploitability":"2.0","weighted_severity":"4.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2nmh-7tfa-zyb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3763?format=json","vulnerability_id":"VCID-8gcm-7q3n-q7bm","summary":"Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the \"Location\" or other outbound header key or value.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-4975.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-4975.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-4975","reference_id":"","reference_type":"","scores":[{"value":"0.73272","scoring_system":"epss","scoring_elements":"0.98788","published_at":"2026-04-09T12:55:00Z"},{"value":"0.73272","scoring_system":"epss","scoring_elements":"0.98789","published_at":"2026-04-08T12:55:00Z"},{"value":"0.73272","scoring_system":"epss","scoring_elements":"0.98791","published_at":"2026-04-11T12:55:00Z"},{"value":"0.73272","scoring_system":"epss","scoring_elements":"0.98793","published_at":"2026-04-13T12:55:00Z"},{"value":"0.73272","scoring_system":"epss","scoring_elements":"0.98792","published_at":"2026-04-12T12:55:00Z"},{"value":"0.75341","scoring_system":"epss","scoring_elements":"0.9888","published_at":"2026-04-04T12:55:00Z"},{"value":"0.75341","scoring_system":"epss","scoring_elements":"0.98876","published_at":"2026-04-01T12:55:00Z"},{"value":"0.75341","scoring_system":"epss","scoring_elements":"0.98878","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-4975"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4975","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4975"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1375968","reference_id":"1375968","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1375968"},{"reference_url":"https://httpd.apache.org/security/json/CVE-2016-4975.json","reference_id":"CVE-2016-4975","reference_type":"","scores":[{"value":"moderate","scoring_system":"apache_httpd","scoring_elements":""}],"url":"https://httpd.apache.org/security/json/CVE-2016-4975.json"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:0906","reference_id":"RHSA-2017:0906","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:0906"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2185","reference_id":"RHSA-2018:2185","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2185"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2186","reference_id":"RHSA-2018:2186","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2186"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/582509?format=json","purl":"pkg:deb/debian/apache2@2.4.25-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.25-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582274?format=json","purl":"pkg:deb/debian/apache2@2.4.62-1~deb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.62-1~deb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582275?format=json","purl":"pkg:deb/debian/apache2@2.4.66-1~deb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-1~deb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582276?format=json","purl":"pkg:deb/debian/apache2@2.4.66-1~deb13u2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-1~deb13u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582277?format=json","purl":"pkg:deb/debian/apache2@2.4.66-8?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-8%3Fdistro=trixie"}],"aliases":["CVE-2016-4975"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8gcm-7q3n-q7bm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3767?format=json","vulnerability_id":"VCID-pc2n-ga7g-byga","summary":"Apache HTTP Server, prior to release 2.4.25 (and 2.2.32), accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines was treated as whitespace and remained in the request field member \"the_request\", while a bare CR in the request header field name would be honored as whitespace, and a bare CR in the request header field value was retained the input headers array. Implied additional whitespace was accepted in the request line and prior to the ':' delimiter of any request header lines.\nRFC7230 Section 3.5 calls out some of these whitespace exceptions, and section 3.2.3 eliminated and clarified the role of implied whitespace in the grammer of this specification. Section 3.1.1 requires exactly one single SP between the method and request-target, and between the request-target and HTTP-version, followed immediately by a CRLF sequence. None of these fields permit any (unencoded) CTL character whatsoever. Section 3.2.4 explicitly disallowed any whitespace from the request header field prior to the ':' character, while Section 3.2 disallows all CTL characters in the request header line other than the HTAB character as whitespace.\nThese defects represent a security concern when httpd is participating in any chain of proxies or interacting with back-end application servers, either through mod_proxy or using conventional CGI mechanisms. In each case where one agent accepts such CTL characters and does not treat them as whitespace, there is the possiblity in a proxy chain of generating two responses from a server behind the uncautious proxy agent. In a sequence of two requests, this results in request A to the first proxy being interpreted as requests A + A' by the backend server, and if requests A and B were submitted to the first proxy in a keepalive connection, the proxy may interpret response A' as the response to request B, polluting the cache or potentially serving the A' content to a different downstream user-agent.\nThese defects are addressed with the release of Apache HTTP Server 2.4.25 and coordinated by a new directive; HttpProtocolOptions Strict which is the default behavior of 2.4.25 and later.\nBy toggling from 'Strict' behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow some invalid HTTP/1.1 clients to communicate with the server, but this will reintroduce the possibility of the problems described in this assessment. Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs other than HTAB (where permitted), but will allow other RFC requirements to not be enforced, such as exactly two SP characters in the request line.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-8743.json","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-8743.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8743","reference_id":"","reference_type":"","scores":[{"value":"0.08406","scoring_system":"epss","scoring_elements":"0.92291","published_at":"2026-04-01T12:55:00Z"},{"value":"0.08406","scoring_system":"epss","scoring_elements":"0.9233","published_at":"2026-04-12T12:55:00Z"},{"value":"0.08406","scoring_system":"epss","scoring_elements":"0.92322","published_at":"2026-04-09T12:55:00Z"},{"value":"0.08406","scoring_system":"epss","scoring_elements":"0.92328","published_at":"2026-04-13T12:55:00Z"},{"value":"0.08406","scoring_system":"epss","scoring_elements":"0.92298","published_at":"2026-04-02T12:55:00Z"},{"value":"0.08406","scoring_system":"epss","scoring_elements":"0.92304","published_at":"2026-04-04T12:55:00Z"},{"value":"0.08406","scoring_system":"epss","scoring_elements":"0.92307","published_at":"2026-04-07T12:55:00Z"},{"value":"0.08406","scoring_system":"epss","scoring_elements":"0.92318","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8743"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:P/I:P/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1406822","reference_id":"1406822","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1406822"},{"reference_url":"https://httpd.apache.org/security/json/CVE-2016-8743.json","reference_id":"CVE-2016-8743","reference_type":"","scores":[{"value":"important","scoring_system":"apache_httpd","scoring_elements":""}],"url":"https://httpd.apache.org/security/json/CVE-2016-8743.json"},{"reference_url":"https://security.gentoo.org/glsa/201701-36","reference_id":"GLSA-201701-36","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201701-36"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:0906","reference_id":"RHSA-2017:0906","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:0906"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1161","reference_id":"RHSA-2017:1161","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1161"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1413","reference_id":"RHSA-2017:1413","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1413"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1414","reference_id":"RHSA-2017:1414","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1414"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1415","reference_id":"RHSA-2017:1415","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1415"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1721","reference_id":"RHSA-2017:1721","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1721"},{"reference_url":"https://usn.ubuntu.com/3279-1/","reference_id":"USN-3279-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3279-1/"},{"reference_url":"https://usn.ubuntu.com/3373-1/","reference_id":"USN-3373-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3373-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/582509?format=json","purl":"pkg:deb/debian/apache2@2.4.25-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.25-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582274?format=json","purl":"pkg:deb/debian/apache2@2.4.62-1~deb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.62-1~deb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582275?format=json","purl":"pkg:deb/debian/apache2@2.4.66-1~deb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-1~deb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582276?format=json","purl":"pkg:deb/debian/apache2@2.4.66-1~deb13u2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-1~deb13u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582277?format=json","purl":"pkg:deb/debian/apache2@2.4.66-8?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-8%3Fdistro=trixie"}],"aliases":["CVE-2016-8743"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pc2n-ga7g-byga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3762?format=json","vulnerability_id":"VCID-rfqy-e7pv-dyfy","summary":"Malicious input to mod_auth_digest will cause the server to crash, and each instance continues to crash even for subsequently valid requests.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2161.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-2161.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2161","reference_id":"","reference_type":"","scores":[{"value":"0.33186","scoring_system":"epss","scoring_elements":"0.96873","published_at":"2026-04-01T12:55:00Z"},{"value":"0.33186","scoring_system":"epss","scoring_elements":"0.96905","published_at":"2026-04-13T12:55:00Z"},{"value":"0.33186","scoring_system":"epss","scoring_elements":"0.96902","published_at":"2026-04-11T12:55:00Z"},{"value":"0.33186","scoring_system":"epss","scoring_elements":"0.96904","published_at":"2026-04-12T12:55:00Z"},{"value":"0.33186","scoring_system":"epss","scoring_elements":"0.9688","published_at":"2026-04-02T12:55:00Z"},{"value":"0.33186","scoring_system":"epss","scoring_elements":"0.96885","published_at":"2026-04-04T12:55:00Z"},{"value":"0.33186","scoring_system":"epss","scoring_elements":"0.9689","published_at":"2026-04-07T12:55:00Z"},{"value":"0.33186","scoring_system":"epss","scoring_elements":"0.96898","published_at":"2026-04-08T12:55:00Z"},{"value":"0.33186","scoring_system":"epss","scoring_elements":"0.96899","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-2161"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:N/I:N/A:P"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1406753","reference_id":"1406753","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1406753"},{"reference_url":"https://httpd.apache.org/security/json/CVE-2016-2161.json","reference_id":"CVE-2016-2161","reference_type":"","scores":[{"value":"low","scoring_system":"apache_httpd","scoring_elements":""}],"url":"https://httpd.apache.org/security/json/CVE-2016-2161.json"},{"reference_url":"https://security.gentoo.org/glsa/201701-36","reference_id":"GLSA-201701-36","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201701-36"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:0906","reference_id":"RHSA-2017:0906","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:0906"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1161","reference_id":"RHSA-2017:1161","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1161"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1413","reference_id":"RHSA-2017:1413","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1413"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1414","reference_id":"RHSA-2017:1414","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1414"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1415","reference_id":"RHSA-2017:1415","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1415"},{"reference_url":"https://usn.ubuntu.com/3279-1/","reference_id":"USN-3279-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3279-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/582509?format=json","purl":"pkg:deb/debian/apache2@2.4.25-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.25-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582274?format=json","purl":"pkg:deb/debian/apache2@2.4.62-1~deb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.62-1~deb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582275?format=json","purl":"pkg:deb/debian/apache2@2.4.66-1~deb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-1~deb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582276?format=json","purl":"pkg:deb/debian/apache2@2.4.66-1~deb13u2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-1~deb13u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582277?format=json","purl":"pkg:deb/debian/apache2@2.4.66-8?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-8%3Fdistro=trixie"}],"aliases":["CVE-2016-2161"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rfqy-e7pv-dyfy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3766?format=json","vulnerability_id":"VCID-tkm7-pyue-7ffj","summary":"The HTTP/2 protocol implementation (mod_http2) had an incomplete handling of the LimitRequestFields directive. This allowed an attacker to inject unlimited request headers into the server, leading to eventual memory exhaustion.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-8740.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-8740.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8740","reference_id":"","reference_type":"","scores":[{"value":"0.68259","scoring_system":"epss","scoring_elements":"0.98589","published_at":"2026-04-01T12:55:00Z"},{"value":"0.68259","scoring_system":"epss","scoring_elements":"0.98603","published_at":"2026-04-13T12:55:00Z"},{"value":"0.68259","scoring_system":"epss","scoring_elements":"0.98601","published_at":"2026-04-11T12:55:00Z"},{"value":"0.68259","scoring_system":"epss","scoring_elements":"0.98602","published_at":"2026-04-12T12:55:00Z"},{"value":"0.68259","scoring_system":"epss","scoring_elements":"0.9859","published_at":"2026-04-02T12:55:00Z"},{"value":"0.68259","scoring_system":"epss","scoring_elements":"0.98594","published_at":"2026-04-04T12:55:00Z"},{"value":"0.68259","scoring_system":"epss","scoring_elements":"0.98595","published_at":"2026-04-07T12:55:00Z"},{"value":"0.68259","scoring_system":"epss","scoring_elements":"0.98598","published_at":"2026-04-08T12:55:00Z"},{"value":"0.68259","scoring_system":"epss","scoring_elements":"0.98599","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-8740"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8740"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:N/I:N/A:P"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1401528","reference_id":"1401528","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1401528"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847124","reference_id":"847124","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847124"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/dos/40909.py","reference_id":"CVE-2016-8740","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/dos/40909.py"},{"reference_url":"https://httpd.apache.org/security/json/CVE-2016-8740.json","reference_id":"CVE-2016-8740","reference_type":"","scores":[{"value":"low","scoring_system":"apache_httpd","scoring_elements":""}],"url":"https://httpd.apache.org/security/json/CVE-2016-8740.json"},{"reference_url":"https://security.gentoo.org/glsa/201701-36","reference_id":"GLSA-201701-36","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201701-36"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1161","reference_id":"RHSA-2017:1161","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1161"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1413","reference_id":"RHSA-2017:1413","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1413"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1414","reference_id":"RHSA-2017:1414","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1414"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1415","reference_id":"RHSA-2017:1415","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1415"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/582509?format=json","purl":"pkg:deb/debian/apache2@2.4.25-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.25-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582274?format=json","purl":"pkg:deb/debian/apache2@2.4.62-1~deb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.62-1~deb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582275?format=json","purl":"pkg:deb/debian/apache2@2.4.66-1~deb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-1~deb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582276?format=json","purl":"pkg:deb/debian/apache2@2.4.66-1~deb13u2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-1~deb13u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582277?format=json","purl":"pkg:deb/debian/apache2@2.4.66-8?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-8%3Fdistro=trixie"}],"aliases":["CVE-2016-8740"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"5.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tkm7-pyue-7ffj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3807?format=json","vulnerability_id":"VCID-wgte-97r1-j7a9","summary":"For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11985.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-11985.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11985","reference_id":"","reference_type":"","scores":[{"value":"0.15318","scoring_system":"epss","scoring_elements":"0.94596","published_at":"2026-04-01T12:55:00Z"},{"value":"0.15318","scoring_system":"epss","scoring_elements":"0.94633","published_at":"2026-04-13T12:55:00Z"},{"value":"0.15318","scoring_system":"epss","scoring_elements":"0.94626","published_at":"2026-04-09T12:55:00Z"},{"value":"0.15318","scoring_system":"epss","scoring_elements":"0.9463","published_at":"2026-04-11T12:55:00Z"},{"value":"0.15318","scoring_system":"epss","scoring_elements":"0.94603","published_at":"2026-04-02T12:55:00Z"},{"value":"0.15318","scoring_system":"epss","scoring_elements":"0.9461","published_at":"2026-04-04T12:55:00Z"},{"value":"0.15318","scoring_system":"epss","scoring_elements":"0.94611","published_at":"2026-04-07T12:55:00Z"},{"value":"0.15318","scoring_system":"epss","scoring_elements":"0.94621","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11985"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11985","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11985"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1866559","reference_id":"1866559","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1866559"},{"reference_url":"https://httpd.apache.org/security/json/CVE-2020-11985.json","reference_id":"CVE-2020-11985","reference_type":"","scores":[{"value":"low","scoring_system":"apache_httpd","scoring_elements":""}],"url":"https://httpd.apache.org/security/json/CVE-2020-11985.json"},{"reference_url":"https://security.gentoo.org/glsa/202008-04","reference_id":"GLSA-202008-04","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202008-04"},{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1161","reference_id":"RHSA-2017:1161","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2017:1161"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/582509?format=json","purl":"pkg:deb/debian/apache2@2.4.25-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.25-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582274?format=json","purl":"pkg:deb/debian/apache2@2.4.62-1~deb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.62-1~deb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582275?format=json","purl":"pkg:deb/debian/apache2@2.4.66-1~deb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-1~deb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582276?format=json","purl":"pkg:deb/debian/apache2@2.4.66-1~deb13u2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-1~deb13u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/582277?format=json","purl":"pkg:deb/debian/apache2@2.4.66-8?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.66-8%3Fdistro=trixie"}],"aliases":["CVE-2020-11985"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wgte-97r1-j7a9"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/apache2@2.4.25-1%3Fdistro=trixie"}