CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Apache » Http Server » : Security Vulnerabilities

Cpe Name:cpe:/a:apache:http_server
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2011-1783 399 DoS 2011-06-06 2013-11-02
4.3
None Remote Medium Not required None None Partial
The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is enabled, allows remote attackers to cause a denial of service (infinite loop and memory consumption) in opportunistic circumstances by requesting data.
2 CVE-2011-1752 DoS 2011-06-06 2013-11-02
5.0
None Remote Low Not required None None Partial
The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.17, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request for a baselined WebDAV resource, as exploited in the wild in May 2011.
3 CVE-2009-3095 264 Bypass 2009-09-08 2016-08-22
7.5
None Remote Low Not required Partial Partial Partial
The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11.
4 CVE-2009-1955 399 1 DoS 2009-06-07 2013-10-10
7.8
None Remote Low Not required None None Complete
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
5 CVE-2008-2579 2008-07-15 2012-10-22
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the WebLogic Server Plugins for Apache, Sun and IIS web servers component in Oracle BEA Product Suite 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, and 6.1 SP7 has unknown impact and remote attack vectors.
6 CVE-2007-5156 2 Exec Code 2007-10-01 2011-10-12
6.8
User Remote Medium Not required Partial Partial Partial
Incomplete blacklist vulnerability in editor/filemanager/upload/php/upload.php in FCKeditor, as used in SiteX CMS 0.7.3.beta, La-Nai CMS, Syntax CMS, Cardinal Cms, and probably other products, allows remote attackers to upload and execute arbitrary PHP code via a file whose name contains ".php." and has an unknown extension, which is recognized as a .php file by the Apache HTTP server, a different vulnerability than CVE-2006-0658 and CVE-2006-2529.
7 CVE-2007-4723 22 Dir. Trav. Bypass 2007-09-05 2013-08-30
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in Ragnarok Online Control Panel 4.3.4a, when the Apache HTTP Server is used, allows remote attackers to bypass authentication via directory traversal sequences in a URI that ends with the name of a publicly available page, as demonstrated by a "/...../" sequence and an account_manage.php/login.php final component for reaching the protected account_manage.php page.
8 CVE-2007-1349 399 DoS 2007-03-29 2012-11-05
4.3
None Remote Medium Not required None None Partial
PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI.
9 CVE-2007-0086 DoS 2007-01-05 2008-11-15
7.8
None Remote Low Not required None None Complete
** DISPUTED ** The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal.
10 CVE-2005-1268 DoS Overflow 2005-08-05 2010-08-21
5.0
None Remote Low Not required None None Partial
Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.
11 CVE-2003-0020 2003-03-18 2016-10-17
5.0
None Remote Low Not required None Partial None
Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.
12 CVE-2001-1556 2001-12-31 2008-09-05
5.0
None Remote Low Not required None Partial None
The log files in Apache web server contain information directly supplied by clients and does not filter or quote control characters, which could allow remote attackers to hide HTTP requests and spoof source IP addresses when logs are viewed with UNIX programs such as cat, tail, and grep.
13 CVE-2001-0131 2001-03-12 2016-10-17
1.2
None Local High Not required None Partial None
htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack.
14 CVE-1999-1412 DoS 1999-06-03 2008-09-05
10.0
None Remote Low Not required Complete Complete Complete
A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service (crash) via a flood of HTTP GET requests to CGI programs, which generates a large number of processes.
15 CVE-1999-1237 Exec Code Overflow 1999-06-06 2008-09-05
10.0
Admin Remote Low Not required Complete Complete Complete
Multiple buffer overflows in smbvalid/smbval SMB authentication library, as used in Apache::AuthenSmb and possibly other modules, allows remote attackers to execute arbitrary commands via (1) a long username, (2) a long password, and (3) other unspecified methods.
16 CVE-1999-0678 1999-01-17 2008-09-09
5.0
None Remote Low Not required Partial None None
A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the entire server.
17 CVE-1999-0289 1999-12-12 2008-09-05
5.0
None Remote Low Not required Partial None None
The Apache web server for Win32 may provide access to restricted files when a . (dot) is appended to a requested URL.
18 CVE-1999-0236 1997-01-01 2008-09-09
10.0
None Remote Low Not required Complete Complete Complete
ScriptAlias directory in NCSA and Apache httpd allowed attackers to read CGI programs.
19 CVE-1999-0070 1996-04-01 2008-09-09
5.0
None Remote Low Not required None Partial None
test-cgi program allows an attacker to list files on the server.
Total number of vulnerabilities : 19   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.