Apache » Http Server » 2.4.18 : Security Vulnerabilities, CVEs, Published In 2019
In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.
Max CVSS
6.1
EPSS Score
10.59%
Published
2019-09-25
Updated
2021-06-14
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
Max CVSS
6.1
EPSS Score
7.12%
Published
2019-09-26
Updated
2021-09-09
In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.
Max CVSS
9.1
EPSS Score
0.81%
Published
2019-09-26
Updated
2022-07-25
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
Max CVSS
5.3
EPSS Score
0.51%
Published
2019-06-11
Updated
2022-07-25
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Max CVSS
7.5
EPSS Score
0.22%
Published
2019-04-08
Updated
2021-06-06
CVE-2019-0211
Known exploited
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
Max CVSS
7.8
EPSS Score
97.42%
Published
2019-04-08
Updated
2021-06-06
CISA KEV Added
2021-11-03
A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly.
Max CVSS
5.3
EPSS Score
0.60%
Published
2019-06-11
Updated
2021-06-06
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
Max CVSS
7.5
EPSS Score
0.17%
Published
2019-01-30
Updated
2021-06-06
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
Max CVSS
5.3
EPSS Score
0.38%
Published
2019-01-30
Updated
2021-07-06
9 vulnerabilities found