CVSS: 9.8EPSS: 46%CPEs: 12EXPL: 0CVE-2021-26691 – Apache HTTP Server mod_session response handling heap overflow
https://notcve.org/view.php?id=CVE-2021-26691
10 Jun 2021 — In Apache HTTP Server versions 2.4.0 to 2.4.46 a specially crafted SessionHeader sent by an origin server could cause a heap overflow Apache HTTP Server versiones 2.4.0 a 2.4.46 , un parámetro SessionHeader especialmente diseñado enviado por un servidor de origen podría causar un desbordamiento de pila A heap overflow flaw was found In Apache httpd mod_session. The highest threat from this vulnerability is to system availability. Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBo... • http://httpd.apache.org/security/vulnerabilities_24.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 60%CPEs: 10EXPL: 3CVE-2021-26690 – mod_session NULL pointer dereference
https://notcve.org/view.php?id=CVE-2021-26690
10 Jun 2021 — Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service Apache HTTP Server versiones 2.4.0 a 2.4.46, un encabezado de Cookie especialmente diseñado y gestionado por la función mod_session puede causar una desviación del puntero NULL y un fallo, lo que puede causar una denegación de servicio A NULL pointer dereference was found in Apache httpd mod_session. The highest threat fr... • https://github.com/7own/CVE-2021-26690---Apache-mod_session • CWE-476: NULL Pointer Dereference •
CVSS: 7.3EPSS: 6%CPEs: 10EXPL: 0CVE-2020-35452 – mod_auth_digest possible stack overflow by one nul byte
https://notcve.org/view.php?id=CVE-2020-35452
10 Jun 2021 — Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow Apache HTTP Server versiones 2.4.0 a 2.4.46 Un Digest nonce especialmente diseñado puede causa... • http://httpd.apache.org/security/vulnerabilities_24.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 17EXPL: 0CVE-2020-13938 – Improper Handling of Insufficient Privileges
https://notcve.org/view.php?id=CVE-2020-13938
10 Jun 2021 — Apache HTTP Server versions 2.4.0 to 2.4.46 Unprivileged local users can stop httpd on Windows Apache HTTP Server versiones 2.4.0 a 2.4.46 Los usuarios locales sin privilegios pueden detener httpd en Windows • http://httpd.apache.org/security/vulnerabilities_24.html • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 9%CPEs: 8EXPL: 0CVE-2019-17567 – mod_proxy_wstunnel tunneling of non Upgraded connections
https://notcve.org/view.php?id=CVE-2019-17567
10 Jun 2021 — Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured. Apache HTTP Server versiones 2.4.6 a 2.4.46 la función mod_proxy_wstunnel configurado en una URL que no es necesariamente Actualizada por el servidor de origen estaba tunel... • http://httpd.apache.org/security/vulnerabilities_24.html • CWE-287: Improper Authentication CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 5.3EPSS: 16%CPEs: 1EXPL: 0CVE-2020-11985 – httpd: IP address spoofing when proxying using mod_remoteip and mod_rewrite
https://notcve.org/view.php?id=CVE-2020-11985
07 Aug 2020 — IP address spoofing when proxying using mod_remoteip and mod_rewrite For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020. Una falsificación de direcciones IP cuando se está usando un proxy por medio de mod_remoteip y mod_rewrite para las configuraciones que usan el proxy con mod_remoteip y dete... • https://httpd.apache.org/security/vulnerabilities_24.html • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.1EPSS: 15%CPEs: 24EXPL: 0CVE-2020-1927 – httpd: mod_rewrite configurations vulnerable to open redirect
https://notcve.org/view.php?id=CVE-2020-1927
01 Apr 2020 — In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. En Apache HTTP Server versiones 2.4.0 hasta 2.4.41, los redireccionamientos configurados con mod_rewrite que pretendían ser autorreferenciales podrían ser engañados por nuevas líneas codificadas y redireccionadas en lugar de una URL inesperada dentro de la URL de petición. A flaw was fou... • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.3EPSS: 38%CPEs: 21EXPL: 0CVE-2020-1934 – httpd: mod_proxy_ftp use of uninitialized value
https://notcve.org/view.php?id=CVE-2020-1934
01 Apr 2020 — In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. En Apache HTTP Server versiones 2.4.0 hasta 2.4.41, mod_proxy_ftp puede usar memoria no inicializada cuando al enviar un proxy hacia un servidor FTP malicioso. A flaw was found in Apache's HTTP server (httpd) .The mod_proxy_ftp module may use uninitialized memory with proxying to a malicious FTP server. The highest threat from this vulnerability is to data confidentiality. Red Hat JBoss... • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html • CWE-456: Missing Initialization of a Variable CWE-908: Use of Uninitialized Resource •
CVSS: 6.1EPSS: 84%CPEs: 26EXPL: 4CVE-2019-10092 – Apache Httpd mod_proxy - Error Page Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-10092
27 Aug 2019 — In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed. En Apache HTTP Server versiones 2.4.0 hasta 2.4.39, se reportó un problema de cross-site scripting limitado que afecta la ... • https://www.exploit-db.com/exploits/47688 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 79%CPEs: 1EXPL: 1CVE-2019-10098 – Apache Httpd mod_rewrite - Open Redirects
https://notcve.org/view.php?id=CVE-2019-10098
27 Aug 2019 — In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. En el servidor HTTP Apache versiones 2.4.0 hasta 2.4.39, los Redireccionamientos configurados con mod_rewrite que fueron previstos a estar auto referenciados podrían ser engañados por nuevas líneas codificadas y redireccionadas a una URL inesperada dentro de la URL de la petición. A vulnera... • https://www.exploit-db.com/exploits/47689 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •