Page 14 of 295 results (0.014 seconds)

CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0

A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts. Existe un problema en la manera en la que mod_ssl gestionaba registros de cliente. Un atacante remoto podría enviar una petición especialmente manipulada que conduciría a que mod_ssl entre en un bucle, provocando una denegación de servicio (DoS). • http://www.securityfocus.com/bid/106743 https://httpd.apache.org/security/vulnerabilities_24.html https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd •

CVSS: 7.5EPSS: 0%CPEs: 17EXPL: 0

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. En Apache HTTP Server, de la versión 2.4.17 a la 2.4.34, mediante el envío continuo de tramas SETTINGS grandes, un cliente puede ocupar una conexión, hilo del servidor y tiempo de CPU sin que se active ningún agotamiento del tiempo de conexión. Esto solo afecta a las conexiones HTTP/2. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html http://www.securityfocus.com/bid/105414 http://www.securitytracker.com/id/1041713 https://access.redhat.com/errata/RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2019:0366 https://access.redhat.com/errata/RHSA-2019:0367 https://httpd.apache.org/security/vulnerabilities_24.html https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7f • CWE-20: Improper Input Validation •

CVSS: 6.1EPSS: 0%CPEs: 41EXPL: 0

Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31). Posible inyección CRLF que permite ataques de separación de respuesta HTTP para los sitios que emplean mod_userdir. • http://www.securityfocus.com/bid/105093 https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975 https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975 https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E https&# • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •

CVSS: 7.5EPSS: 94%CPEs: 2EXPL: 0

By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.33). Manipulando especialmente peticiones HTTP, el manipulador challenge mod_md desreferencia un puntero NULL y hace que el proceso hijo entre en segfault. Esto podría emplearse para provocar una denegación de servicio (DoS) en el servidor. • http://www.securitytracker.com/id/1041401 https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011 https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf&# • CWE-476: NULL Pointer Dereference •

CVSS: 7.5EPSS: 7%CPEs: 8EXPL: 0

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.18-2.4.30,2.4.33). Al manipular especialmente las peticiones HTTP/2, los trabajadores se asignarían 60 segundos más de los necesarios, lo que conduce a un agotamiento de los trabajadores y a una denegación de servicio (DoS). Esto se ha solucionado en Apache HTTP Server 2.4.34 (2.4.18 - 2.4.30, 2.4.33 afectadas). • http://www.securitytracker.com/id/1041402 https://access.redhat.com/errata/RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2019:0366 https://access.redhat.com/errata/RHSA-2019:0367 https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-1333 https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E https://lists.apache.o • CWE-400: Uncontrolled Resource Consumption •