Total
327 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2003-1307 | 1 Apache | 1 Http Server | 2025-04-03 | 4.3 MEDIUM | N/A |
|
The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's TCP port. NOTE: the PHP developer has disputed this vulnerability, saying "The opened file descriptors are opened by Apache. It is the job of Apache to protect them ... Not a bug in PHP.
|
|||||
| CVE-2002-2012 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
Unknown vulnerability in Apache 1.3.19 running on HP Secure OS for Linux 1.0 allows remote attackers to cause "unexpected results" via an HTTP request.
|
|||||
| CVE-2000-0869 | 2 Apache, Suse | 2 Http Server, Suse Linux | 2025-04-03 | 5.0 MEDIUM | N/A |
|
The default configuration of Apache 1.3.12 in SuSE Linux 6.4 enables WebDAV, which allows remote attackers to list arbitrary directories via the PROPFIND HTTP request method.
|
|||||
| CVE-2003-0020 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences.
|
|||||
| CVE-2002-0654 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
Apache 2.0 through 2.0.39 on Windows, OS2, and Netware allows remote attackers to determine the full pathname of the server via (1) a request for a .var file, which leaks the pathname in the resulting error message, or (2) via an error message that occurs when a script (child process) cannot be invoked.
|
|||||
| CVE-2002-1850 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | 7.5 HIGH |
|
mod_cgi in Apache 2.0.39 and 2.0.40 allows local users and possibly remote attackers to cause a denial of service (hang and memory consumption) by causing a CGI script to send a large amount of data to stderr, which results in a read/write deadlock between httpd and the CGI script.
|
|||||
| CVE-2001-1534 | 1 Apache | 1 Http Server | 2025-04-03 | 2.1 LOW | N/A |
|
mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.
|
|||||
| CVE-1999-0926 | 1 Apache | 1 Http Server | 2025-04-03 | 10.0 HIGH | N/A |
|
Apache allows remote attackers to conduct a denial of service via a large number of MIME headers.
|
|||||
| CVE-2003-1418 | 1 Apache | 1 Http Server | 2025-04-03 | 4.3 MEDIUM | N/A |
|
Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which reveals child process IDs (PID).
|
|||||
| CVE-2004-0751 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
The char_buffer_read function in the mod_ssl module for Apache 2.x, when using reverse proxying to an SSL server, allows remote attackers to cause a denial of service (segmentation fault).
|
|||||
| CVE-2002-0839 | 2 Apache, Debian | 2 Http Server, Debian Linux | 2025-04-03 | 7.2 HIGH | N/A |
|
The shared memory scoreboard in the HTTP daemon for Apache 1.3.x before 1.3.27 allows any user running as the Apache UID to send a SIGUSR1 signal to any process as root, resulting in a denial of service (process kill) or possibly other behaviors that would not normally be allowed, by modifying the parent[].pid and parent[].last_rtime segments in the scoreboard.
|
|||||
| CVE-2003-0192 | 1 Apache | 1 Http Server | 2025-04-03 | 6.4 MEDIUM | N/A |
|
Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite.
|
|||||
| CVE-2004-0492 | 5 Apache, Hp, Ibm and 2 more | 7 Http Server, Virtualvault, Vvos and 4 more | 2025-04-03 | 10.0 HIGH | N/A |
|
Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.
|
|||||
| CVE-2003-0987 | 1 Apache | 1 Http Server | 2025-04-03 | 7.5 HIGH | N/A |
|
mod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret.
|
|||||
| CVE-1999-0045 | 2 Apache, Netscape | 4 Http Server, Commerce Server, Communications Server and 1 more | 2025-04-03 | 7.5 HIGH | N/A |
|
List of arbitrary files on Web host via nph-test-cgi script.
|
|||||
| CVE-2004-0113 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server.
|
|||||
| CVE-2001-0925 | 2 Apache, Debian | 2 Http Server, Debian Linux | 2025-04-03 | 5.0 MEDIUM | N/A |
|
The default installation of Apache before 1.3.19 allows remote attackers to list directories instead of the multiview index.html file via an HTTP request for a path that contains many / (slash) characters, which causes the path to be mishandled by (1) mod_negotiation, (2) mod_dir, or (3) mod_autoindex.
|
|||||
| CVE-2000-1204 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
Vulnerability in the mod_vhost_alias virtual hosting module for Apache 1.3.9, 1.3.11 and 1.3.12 allows remote attackers to obtain the source code for CGI programs if the cgi-bin directory is under the document root.
|
|||||
| CVE-2002-0061 | 1 Apache | 1 Http Server | 2025-04-03 | 7.5 HIGH | N/A |
|
Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell metacharacters (a | pipe character) provided as arguments to batch (.bat) or .cmd scripts, which are sent unfiltered to the shell interpreter, typically cmd.exe.
|
|||||
| CVE-2005-2088 | 2 Apache, Debian | 2 Http Server, Debian Linux | 2025-04-03 | 4.3 MEDIUM | N/A |
|
The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
|
|||||
| CVE-2001-1072 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
Apache with mod_rewrite enabled on most UNIX systems allows remote attackers to bypass RewriteRules by inserting extra / (slash) characters into the requested path, which causes the regular expression in the RewriteRule to fail.
|
|||||
| CVE-2001-0766 | 2 Apache, Apple | 2 Http Server, Mac Os X | 2025-04-03 | 7.5 HIGH | 9.8 CRITICAL |
|
Apache on MacOS X Client 10.0.3 with the HFS+ file system allows remote attackers to bypass access restrictions via a URL that contains some characters whose case is not matched by Apache's filters.
|
|||||
| CVE-2001-0131 | 2 Apache, Debian | 2 Http Server, Debian Linux | 2025-04-03 | 3.3 LOW | N/A |
|
htpasswd and htdigest in Apache 2.0a9, 1.3.14, and others allows local users to overwrite arbitrary files via a symlink attack.
|
|||||
| CVE-2004-0811 | 1 Apache | 1 Http Server | 2025-04-03 | 7.5 HIGH | N/A |
|
Unknown vulnerability in Apache 2.0.51 prevents "the merging of the Satisfy directive," which could allow attackers to obtain access to restricted resources contrary to the specified authentication configuration.
|
|||||
| CVE-1999-0070 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
test-cgi program allows an attacker to list files on the server.
|
|||||
| CVE-2002-2103 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
Apache before 1.3.24, when writing to the log file, records a spoofed hostname from the reverse lookup of an IP address, even when a double-reverse lookup fails, which allows remote attackers to hide the original source of activities.
|
|||||
| CVE-2002-0843 | 2 Apache, Oracle | 4 Http Server, Application Server, Database Server and 1 more | 2025-04-03 | 7.5 HIGH | N/A |
|
Buffer overflows in the ApacheBench benchmark support program (ab.c) in Apache before 1.3.27, and Apache 2.x before 2.0.43, allow a malicious web server to cause a denial of service and possibly execute arbitrary code via a long response.
|
|||||
| CVE-2003-0253 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
The prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service.
|
|||||
| CVE-2004-1387 | 1 Apache | 1 Http Server | 2025-04-03 | 2.1 LOW | N/A |
|
The check_forensic script in apache-utils package 1.3.31 allows local users to overwrite or create arbitrary files via a symlink attack on temporary files.
|
|||||
| CVE-2003-0083 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020.
|
|||||
| CVE-2004-0885 | 1 Apache | 1 Http Server | 2025-04-03 | 7.5 HIGH | N/A |
|
The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the "SSLCipherSuite" directive in directory or location context, allows remote clients to bypass intended restrictions by using any cipher suite that is allowed by the virtual host configuration.
|
|||||
| CVE-2006-3918 | 4 Apache, Canonical, Debian and 1 more | 5 Http Server, Ubuntu Linux, Debian Linux and 2 more | 2025-04-03 | 4.3 MEDIUM | N/A |
|
http_protocol.c in (1) IBM HTTP Server 6.0 before 6.0.2.13 and 6.1 before 6.1.0.1, and (2) Apache HTTP Server 1.3 before 1.3.35, 2.0 before 2.0.58, and 2.2 before 2.2.2, does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated using a Flash SWF file.
|
|||||
| CVE-2003-0134 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
Unknown vulnerability in filestat.c for Apache running on OS2, versions 2.0 through 2.0.45, allows unknown attackers to cause a denial of service via requests related to device names.
|
|||||
| CVE-2000-0868 | 2 Apache, Suse | 2 Http Server, Suse Linux | 2025-04-03 | 5.0 MEDIUM | N/A |
|
The default configuration of Apache 1.3.12 in SuSE Linux 6.4 allows remote attackers to read source code for CGI scripts by replacing the /cgi-bin/ in the requested URL with /cgi-bin-sdb/.
|
|||||
| CVE-2004-0493 | 5 Apache, Avaya, Gentoo and 2 more | 8 Http Server, Converged Communications Server, S8300 and 5 more | 2025-04-03 | 6.4 MEDIUM | N/A |
|
The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters.
|
|||||
| CVE-2004-0786 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
The IPv6 URI parsing routines in the apr-util library for Apache 2.0.50 and earlier allow remote attackers to cause a denial of service (child process crash) via a certain URI, as demonstrated using the Codenomicon HTTP Test Tool.
|
|||||
| CVE-2006-4110 | 1 Apache | 1 Http Server | 2025-04-03 | 4.3 MEDIUM | N/A |
|
Apache 2.2.2, when running on Windows, allows remote attackers to read source code of CGI programs via a request that contains uppercase (or alternate case) characters that bypass the case-sensitive ScriptAlias directive, but allow access to the file on case-insensitive file systems.
|
|||||
| CVE-2003-0460 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
The rotatelogs program on Apache before 1.3.28, for Windows and OS/2 systems, does not properly ignore certain control characters that are received over the pipe, which could allow remote attackers to cause a denial of service.
|
|||||
| CVE-2002-0240 | 1 Apache | 1 Http Server | 2025-04-03 | 5.0 MEDIUM | N/A |
|
PHP, when installed with Apache and configured to search for index.php as a default web page, allows remote attackers to obtain the full pathname of the server via the HTTP OPTIONS method, which reveals the pathname in the resulting error message.
|
|||||
| CVE-2004-2343 | 1 Apache | 1 Http Server | 2025-04-03 | 7.2 HIGH | N/A |
|
Apache HTTP Server 2.0.47 and earlier allows local users to bypass .htaccess file restrictions, as specified in httpd.conf with directives such as Deny From All, by using an ErrorDocument directive. NOTE: the vendor has disputed this issue, since the .htaccess mechanism is only intended to restrict external web access, and a local user already has the privileges to perform the same operations without using ErrorDocument
|
|||||