Apache » Http Server : Security Vulnerabilities, CVEs, (Gain Privilege) CVSS score >= 1
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.
Max CVSS
9.8
EPSS Score
1.82%
Published
2018-03-26
Updated
2022-09-07
A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd 2.2.15-60, causing comments in the "Allow" and "Deny" configuration lines to be parsed incorrectly. A web administrator could unintentionally allow any client to access a restricted HTTP resource.
Max CVSS
6.5
EPSS Score
0.18%
Published
2018-07-26
Updated
2023-02-12
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
Max CVSS
9.8
EPSS Score
1.40%
Published
2017-06-20
Updated
2021-06-06
The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.
Max CVSS
7.5
EPSS Score
0.21%
Published
2016-07-06
Updated
2021-06-06
4 vulnerabilities found