CVE-2017-9788
- EPSS 56.77%
- Veröffentlicht 13.07.2017 16:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial ke...
CVE-2017-9789
- EPSS 9.51%
- Veröffentlicht 13.07.2017 16:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
When under stress, closing many connections, the HTTP/2 handling code in Apache httpd 2.4.26 would sometimes access memory after it has been freed, resulting in potentially erratic behaviour.
CVE-2017-3167
- EPSS 20.23%
- Veröffentlicht 20.06.2017 01:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
CVE-2017-3169
- EPSS 19.95%
- Veröffentlicht 20.06.2017 01:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.
CVE-2017-7668
- EPSS 57.47%
- Veröffentlicht 20.06.2017 01:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacke...
CVE-2017-7679
- EPSS 39.34%
- Veröffentlicht 20.06.2017 01:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.
CVE-2016-8740
- EPSS 79.07%
- Veröffentlicht 05.12.2016 19:59:00
- Zuletzt bearbeitet 06.05.2026 22:30:45
The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via cr...
CVE-2016-5387
- EPSS 55.72%
- Veröffentlicht 19.07.2016 02:00:19
- Zuletzt bearbeitet 06.05.2026 22:30:45
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an app...
CVE-2016-4979
- EPSS 18.8%
- Veröffentlicht 06.07.2016 14:59:04
- Zuletzt bearbeitet 06.05.2026 22:30:45
The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restri...
CVE-2016-1546
- EPSS 15.33%
- Veröffentlicht 06.07.2016 14:59:01
- Zuletzt bearbeitet 06.05.2026 22:30:45
The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service (stream-processing outage) via mo...