Product:

Http_server

(Apache)
Repositories https://github.com/apache/httpd
#Vulnerabilities 291
Date Id Summary Products Score Patch Annotated
2021-09-16 CVE-2021-34798 Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier. Http_server, Brocade_fabric_operating_system_firmware, Debian_linux, Fedora, Cloud_backup, Clustered_data_ontap, Storagegrid, Communications_cloud_native_core_network_function_cloud_native_environment, Enterprise_manager_base_platform, Http_server, Instantis_enterprisetrack, Peoplesoft_enterprise_peopletools, Zfs_storage_appliance_kit, Ruggedcom_nms, Sinec_nms, Sinema_remote_connect_server, Sinema_server, Tenable\.sc 7.5
2021-10-05 CVE-2021-41524 While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project. Http_server, Fedora, Cloud_backup, Instantis_enterprisetrack 7.5
2021-12-20 CVE-2021-44224 A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). Http_server, Mac_os_x, Macos, Debian_linux, Fedora, Communications_element_manager, Communications_operations_monitor, Communications_session_report_manager, Communications_session_route_manager, Http_server, Instantis_enterprisetrack, Tenable\.sc 8.2
2022-03-14 CVE-2022-22719 A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier. Http_server, Mac_os_x, Macos, Debian_linux, Fedora, Http_server, Zfs_storage_appliance_kit 7.5
2022-03-14 CVE-2022-22720 Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling Http_server, Mac_os_x, Macos, Debian_linux, Fedora, Enterprise_manager_ops_center, Http_server, Zfs_storage_appliance_kit 9.8
2022-03-14 CVE-2022-22721 If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier. Http_server, Mac_os_x, Macos, Debian_linux, Fedora, Enterprise_manager_ops_center, Http_server, Zfs_storage_appliance_kit 9.1
2022-06-09 CVE-2022-28614 The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue. Http_server, Fedora, Clustered_data_ontap 5.3
2022-06-09 CVE-2022-28330 Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the mod_isapi module. Http_server 5.3
2022-06-09 CVE-2022-29404 In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. Http_server, Fedora, Clustered_data_ontap 7.5
2022-06-09 CVE-2022-30522 If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort. Http_server, Fedora, Clustered_data_ontap 7.5