Apache

HTTP Server

330 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 56.77%
  • Veröffentlicht 13.07.2017 16:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial ke...

  • EPSS 9.51%
  • Veröffentlicht 13.07.2017 16:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.

  • EPSS 20.23%
  • Veröffentlicht 20.06.2017 01:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

  • EPSS 19.95%
  • Veröffentlicht 20.06.2017 01:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.

  • EPSS 57.47%
  • Veröffentlicht 20.06.2017 01:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacke...

Exploit
  • EPSS 39.34%
  • Veröffentlicht 20.06.2017 01:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.

Medienbericht Exploit
  • EPSS 79.07%
  • Veröffentlicht 05.12.2016 19:59:00
  • Zuletzt bearbeitet 06.05.2026 22:30:45

The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via cr...

  • EPSS 55.72%
  • Veröffentlicht 19.07.2016 02:00:19
  • Zuletzt bearbeitet 06.05.2026 22:30:45

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an app...

  • EPSS 18.8%
  • Veröffentlicht 06.07.2016 14:59:04
  • Zuletzt bearbeitet 06.05.2026 22:30:45

The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restri...

Medienbericht
  • EPSS 15.33%
  • Veröffentlicht 06.07.2016 14:59:01
  • Zuletzt bearbeitet 06.05.2026 22:30:45

The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service (stream-processing outage) via mo...