CVE-2024-36387 – Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2
https://notcve.org/view.php?id=CVE-2024-36387
Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. Ofrecer actualizaciones del protocolo WebSocket a través de una conexión HTTP/2 podría provocar una desreferencia del puntero nulo, lo que provocaría una falla del proceso del servidor y degradaría el rendimiento. A flaw was found in the Apache HTTP Server. Serving WebSocket protocol upgrades over an HTTP/2 connection could result in a NULL pointer dereference, leading to a crash of the server process. • https://httpd.apache.org/security/vulnerabilities_24.html https://security.netapp.com/advisory/ntap-20240712-0001 https://access.redhat.com/security/cve/CVE-2024-36387 https://bugzilla.redhat.com/show_bug.cgi?id=2295006 • CWE-476: NULL Pointer Dereference •
CVE-2024-24795 – Apache HTTP Server: HTTP Response Splitting in multiple modules
https://notcve.org/view.php?id=CVE-2024-24795
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. La división de la respuesta HTTP en varios módulos en el servidor HTTP Apache permite que un atacante pueda inyectar encabezados de respuesta maliciosos en aplicaciones backend para provocar un ataque de desincronización HTTP. Se recomienda a los usuarios actualizar a la versión 2.4.59, que soluciona este problema. A flaw was found in httpd. An HTTP response splitting in multiple httpd modules may allow an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. • http://www.openwall.com/lists/oss-security/2024/04/04/5 https://httpd.apache.org/security/vulnerabilities_24.html https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html https://lists.debian.org/debian-lts-announce/2024/05/msg00014.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ https://lists.fedoraproj • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2023-38709 – Apache HTTP Server: HTTP response splitting
https://notcve.org/view.php?id=CVE-2023-38709
Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. La validación de entrada defectuosa en el núcleo de Apache permite que generadores de contenido/backend maliciosos o explotables dividan las respuestas HTTP. Este problema afecta al servidor HTTP Apache: hasta 2.4.58. A flaw was found in httpd. The response headers are not sanitized before an HTTP response is sent when a malicious backend can insert a Content-Type, Content-Encoding, or some other headers, resulting in an HTTP response splitting. • http://www.openwall.com/lists/oss-security/2024/04/04/3 https://httpd.apache.org/security/vulnerabilities_24.html https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I2N2NZEX3MR64IWSGL3QGN7KSRUGAEMF https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX5U34KYGDYPRH3AJ6MDDCBJDWDPXNVJ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNV4SZAPV • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') CWE-1284: Improper Validation of Specified Quantity in Input •