CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36387 – Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2
https://notcve.org/view.php?id=CVE-2024-36387
Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. Ofrecer actualizaciones del protocolo WebSocket a través de una conexión HTTP/2 podría provocar una desreferencia del puntero nulo, lo que provocaría una falla del proceso del servidor y degradaría el rendimiento. • https://httpd.apache.org/security/vulnerabilities_24.html https://security.netapp.com/advisory/ntap-20240712-0001 • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 2CVE-2024-27316 – Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames
https://notcve.org/view.php?id=CVE-2024-27316
HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Los encabezados entrantes HTTP/2 que exceden el límite se almacenan temporalmente en nghttp2 para generar una respuesta HTTP 413 informativa. Si un cliente no deja de enviar encabezados, esto provoca que se agote la memoria. A vulnerability was found in how Apache httpd implements the HTTP/2 protocol. • https://github.com/lockness-Ko/CVE-2024-27316 https://github.com/aeyesec/CVE-2024-27316_poc http://www.openwall.com/lists/oss-security/2024/04/04/4 https://httpd.apache.org/security/vulnerabilities_24.html https://www.openwall.com/lists/oss-security/2024/04/03/16 https://support.apple.com/kb/HT214119 http://seclists.org/fulldisclosure/2024/Jul/18 https://access.redhat.com/security/cve/CVE-2024-27316 https://bugzilla.redhat.com/show_bug.cgi?id=2268277 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: -EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24795 – Apache HTTP Server: HTTP Response Splitting in multiple modules
https://notcve.org/view.php?id=CVE-2024-24795
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. La división de la respuesta HTTP en varios módulos en el servidor HTTP Apache permite que un atacante pueda inyectar encabezados de respuesta maliciosos en aplicaciones backend para provocar un ataque de desincronización HTTP. Se recomienda a los usuarios actualizar a la versión 2.4.59, que soluciona este problema. • http://www.openwall.com/lists/oss-security/2024/04/04/5 https://httpd.apache.org/security/vulnerabilities_24.html https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html https://lists.debian.org/debian-lts-announce/2024/05/msg00014.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ https://lists.fedoraproj •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38709 – Apache HTTP Server: HTTP response splitting
https://notcve.org/view.php?id=CVE-2023-38709
Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. La validación de entrada defectuosa en el núcleo de Apache permite que generadores de contenido/backend maliciosos o explotables dividan las respuestas HTTP. Este problema afecta al servidor HTTP Apache: hasta 2.4.58. A flaw was found in httpd. The response headers are not sanitized before an HTTP response is sent when a malicious backend can insert a Content-Type, Content-Encoding, or some other headers, resulting in an HTTP response splitting. • http://www.openwall.com/lists/oss-security/2024/04/04/3 https://httpd.apache.org/security/vulnerabilities_24.html https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPV • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2023-31122 – Apache HTTP Server: mod_macro buffer over-read
https://notcve.org/view.php?id=CVE-2023-31122
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57. Vulnerabilidad de lectura fuera de límites en mod_macro del servidor Apache HTTP. Este problema afecta al servidor Apache HTTP: hasta 2.4.57. A flaw was found in the mod_macro module of httpd. When processing a very long macro, the null byte terminator will not be added, leading to an out-of-bounds read, resulting in a crash. • https://httpd.apache.org/security/vulnerabilities_24.html https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TI3V2YCEUM65QDYPGGNUZ7UONIM5OEXC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZJTT5TEFNSBWVMKCLS6EZ7PI6EJYBCO https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFDNHDH4VLFGDPY6MEZV2RO5N5FLFONW https://security.netapp.com/advisory/ntap-20231027&# • CWE-125: Out-of-bounds Read •