Apache » Http Server » 2.2.0 : Security Vulnerabilities, CVEs, (Information Leak)
Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.
Max CVSS
7.5
EPSS Score
0.45%
Published
2022-06-09
Updated
2023-07-21
The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue.
Max CVSS
5.3
EPSS Score
0.35%
Published
2022-06-09
Updated
2022-08-24
In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service.
Max CVSS
9.1
EPSS Score
46.78%
Published
2017-07-13
Updated
2021-06-06
The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request.
Max CVSS
4.3
EPSS Score
0.32%
Published
2010-03-05
Updated
2023-02-13
4 vulnerabilities found