CVE-2024-36387 – Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2
https://notcve.org/view.php?id=CVE-2024-36387
Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. Ofrecer actualizaciones del protocolo WebSocket a través de una conexión HTTP/2 podría provocar una desreferencia del puntero nulo, lo que provocaría una falla del proceso del servidor y degradaría el rendimiento. A flaw was found in the Apache HTTP Server. Serving WebSocket protocol upgrades over an HTTP/2 connection could result in a NULL pointer dereference, leading to a crash of the server process. • https://httpd.apache.org/security/vulnerabilities_24.html https://security.netapp.com/advisory/ntap-20240712-0001 https://access.redhat.com/security/cve/CVE-2024-36387 https://bugzilla.redhat.com/show_bug.cgi?id=2295006 • CWE-476: NULL Pointer Dereference •
CVE-2024-24795 – Apache HTTP Server: HTTP Response Splitting in multiple modules
https://notcve.org/view.php?id=CVE-2024-24795
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. La división de la respuesta HTTP en varios módulos en el servidor HTTP Apache permite que un atacante pueda inyectar encabezados de respuesta maliciosos en aplicaciones backend para provocar un ataque de desincronización HTTP. Se recomienda a los usuarios actualizar a la versión 2.4.59, que soluciona este problema. • http://www.openwall.com/lists/oss-security/2024/04/04/5 https://httpd.apache.org/security/vulnerabilities_24.html https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html https://lists.debian.org/debian-lts-announce/2024/05/msg00014.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ https://lists.fedoraproj • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVE-2023-38709 – Apache HTTP Server: HTTP response splitting
https://notcve.org/view.php?id=CVE-2023-38709
Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. La validación de entrada defectuosa en el núcleo de Apache permite que generadores de contenido/backend maliciosos o explotables dividan las respuestas HTTP. Este problema afecta al servidor HTTP Apache: hasta 2.4.58. A flaw was found in httpd. The response headers are not sanitized before an HTTP response is sent when a malicious backend can insert a Content-Type, Content-Encoding, or some other headers, resulting in an HTTP response splitting. • http://www.openwall.com/lists/oss-security/2024/04/04/3 https://httpd.apache.org/security/vulnerabilities_24.html https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPV • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') CWE-1284: Improper Validation of Specified Quantity in Input •
CVE-2010-1151
https://notcve.org/view.php?id=CVE-2010-1151
Race condition in the mod_auth_shadow module for the Apache HTTP Server allows remote attackers to bypass authentication, and read and possibly modify data, via vectors related to improper interaction with an external helper application for validation of credentials. Condición de carrera en el módulo mod_auth_shadow del servidor HTTP Apache permite a atacantes remotos evitar la autenticación, leer y posiblemente modificar datos, a través de vectores de ataque relacionados con errores en la interacción con una aplicación de ayuda externa para la validación de las credenciales. • http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041326.html http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041340.html http://secunia.com/advisories/39823 http://www.mandriva.com/security/advisories?name=MDVSA-2010:081 http://www.securityfocus.com/bid/39538 http://www.vupen.com/english/advisories/2010/0908 http://www.vupen.com/english/advisories/2010/1148 https://bugzilla.redhat.com/show_bug.cgi?id=578168 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2004-1082
https://notcve.org/view.php?id=CVE-2004-1082
mod_digest_apple for Apache 1.3.31 and 1.3.32 on Mac OS X Server does not properly verify the nonce of a client response, which allows remote attackers to replay credentials. • http://lists.apple.com/archives/security-announce/2004/Dec/msg00000.html http://www.ciac.org/ciac/bulletins/p-049.shtml http://www.securityfocus.com/bid/9571 http://www.securitytracker.com/alerts/2004/Dec/1012414.html https://exchange.xforce.ibmcloud.com/vulnerabilities/18347 •