This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/httpd-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 1c88e26 Automatic Site Publish by Buildbot
1c88e26 is described below
commit 1c88e26532668d0f75b088e56f6277a2b8c0a246
Author: buildbot <us...@infra.apache.org>
AuthorDate: Tue Jan 17 16:16:12 2023 +0000
Automatic Site Publish by Buildbot
---
output/ABOUT_APACHE.html | 2 +-
output/apreq/download.html | 2 +-
output/apreq/index.html | 2 +-
output/bug_report.html | 2 +-
output/contribute/index.html | 2 +-
output/contributors/index.html | 2 +-
output/dev/debugging.html | 2 +-
output/dev/devnotes.html | 2 +-
output/dev/guidelines.html | 2 +-
output/dev/index.html | 2 +-
output/dev/patches.html | 2 +-
output/dev/release.html | 2 +-
output/dev/styleguide.html | 2 +-
output/dev/verification.html | 2 +-
output/doap.rdf | 4 +-
output/docs-project/avail_translations.html | 2 +-
output/docs-project/contribute.html | 2 +-
output/docs-project/contributors.html | 4 +-
output/docs-project/docsformat.html | 2 +-
output/docs-project/goingfurther.html | 2 +-
output/docs-project/index.html | 2 +-
output/docs-project/svn.html | 2 +-
output/docs-project/translations.html | 2 +-
output/docs/index.html | 2 +-
output/download.html | 26 +-
output/index.html | 10 +-
output/info/index.html | 2 +-
output/lists.html | 2 +-
output/mod_fcgid/index.html | 2 +-
output/mod_ftp/index.html | 2 +-
output/mod_mbox/index.html | 2 +-
output/mod_mbox/install.html | 2 +-
output/mod_mbox/ref.html | 2 +-
output/mod_smtpd/index.html | 2 +-
output/mod_smtpd/install.html | 2 +-
output/modules/index.html | 2 +-
output/security/impact_levels.html | 2 +-
output/security/json/CVE-2006-20001.json | 110 +
output/security/json/CVE-2022-36760.json | 103 +
output/security/json/CVE-2022-37436.json | 88 +
output/security/vulnerabilities-httpd.json | 27835 +++++++++++++-------------
output/security/vulnerabilities_13.html | 406 -
output/security/vulnerabilities_20.html | 730 -
output/security/vulnerabilities_22.html | 792 -
output/security/vulnerabilities_24.html | 1064 -
output/security_report.html | 2 +-
output/support.html | 2 +-
output/test/flood/building.html | 2 +-
output/test/flood/faq.html | 2 +-
output/test/flood/index.html | 2 +-
output/test/index.html | 2 +-
output/usersdelist.html | 2 +-
output/userslist.html | 2 +-
53 files changed, 14432 insertions(+), 16822 deletions(-)
diff --git a/output/ABOUT_APACHE.html b/output/ABOUT_APACHE.html
index 120c393..2958d21 100644
--- a/output/ABOUT_APACHE.html
+++ b/output/ABOUT_APACHE.html
@@ -260,7 +260,7 @@ marks.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/apreq/download.html b/output/apreq/download.html
index 8441702..ec84041 100644
--- a/output/apreq/download.html
+++ b/output/apreq/download.html
@@ -137,7 +137,7 @@ users can get binary md5 programs from <a href="http://www.fourmilab.ch/md5/">he
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/apreq/index.html b/output/apreq/index.html
index 292a3da..b47fa9a 100644
--- a/output/apreq/index.html
+++ b/output/apreq/index.html
@@ -166,7 +166,7 @@ and <a href="http://svn.apache.org/viewcvs.cgi/httpd/apreq/trunk/">httpd-apreq-2
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/bug_report.html b/output/bug_report.html
index 7beb478..17fb6ef 100644
--- a/output/bug_report.html
+++ b/output/bug_report.html
@@ -144,7 +144,7 @@ Bugzilla project for Apache HTTPD is "Apache httpd-2".</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/contribute/index.html b/output/contribute/index.html
index e41b425..81c259c 100644
--- a/output/contribute/index.html
+++ b/output/contribute/index.html
@@ -115,7 +115,7 @@ mailing list.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/contributors/index.html b/output/contributors/index.html
index 45e91a4..0797cc6 100644
--- a/output/contributors/index.html
+++ b/output/contributors/index.html
@@ -994,7 +994,7 @@ Graduate Student<br/> <strong>Location:</strong> Charlottesville, VA<br/>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/dev/debugging.html b/output/dev/debugging.html
index b000fe8..f40b975 100644
--- a/output/dev/debugging.html
+++ b/output/dev/debugging.html
@@ -505,7 +505,7 @@ file analysis tool.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/dev/devnotes.html b/output/dev/devnotes.html
index 9d38dbb..068fafe 100644
--- a/output/dev/devnotes.html
+++ b/output/dev/devnotes.html
@@ -240,7 +240,7 @@ keyword as part of the commit message.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/dev/guidelines.html b/output/dev/guidelines.html
index 476b131..15b8446 100644
--- a/output/dev/guidelines.html
+++ b/output/dev/guidelines.html
@@ -470,7 +470,7 @@ overridden.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/dev/index.html b/output/dev/index.html
index 8054d2a..84cf07b 100644
--- a/output/dev/index.html
+++ b/output/dev/index.html
@@ -167,7 +167,7 @@ API</li>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/dev/patches.html b/output/dev/patches.html
index df6347c..2f4ad0d 100644
--- a/output/dev/patches.html
+++ b/output/dev/patches.html
@@ -242,7 +242,7 @@ the droppings.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/dev/release.html b/output/dev/release.html
index 0133e4f..da5d51f 100644
--- a/output/dev/release.html
+++ b/output/dev/release.html
@@ -443,7 +443,7 @@ you found this document useful.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/dev/styleguide.html b/output/dev/styleguide.html
index 6f5c837..50fef48 100644
--- a/output/dev/styleguide.html
+++ b/output/dev/styleguide.html
@@ -238,7 +238,7 @@ a = !b
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/dev/verification.html b/output/dev/verification.html
index 66d1655..632387f 100644
--- a/output/dev/verification.html
+++ b/output/dev/verification.html
@@ -239,7 +239,7 @@ fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0 *httpd-2.4.34.t
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/doap.rdf b/output/doap.rdf
index a447116..287c18c 100644
--- a/output/doap.rdf
+++ b/output/doap.rdf
@@ -38,8 +38,8 @@
<release>
<Version>
<name>Recommended current 2.4 release</name>
- <created>2022-06-08</created>
- <revision>2.4.54</revision>
+ <created>2023-01-17</created>
+ <revision>2.4.55</revision>
</Version>
</release>
diff --git a/output/docs-project/avail_translations.html b/output/docs-project/avail_translations.html
index fa0b0b6..dc693b5 100644
--- a/output/docs-project/avail_translations.html
+++ b/output/docs-project/avail_translations.html
@@ -1297,7 +1297,7 @@ us know. ( <a href="translations.html">Back to translations page</a> )</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/docs-project/contribute.html b/output/docs-project/contribute.html
index 9a072a5..bd43f40 100644
--- a/output/docs-project/contribute.html
+++ b/output/docs-project/contribute.html
@@ -239,7 +239,7 @@ Server were contributed by</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/docs-project/contributors.html b/output/docs-project/contributors.html
index 9790910..6d8775b 100644
--- a/output/docs-project/contributors.html
+++ b/output/docs-project/contributors.html
@@ -119,7 +119,7 @@ to the Apache HTTP Server documentation. Thanks to all of them!</p>
<li>gryzor : Vincent Deffontaines</li>
<li>humbedooh : Daniel Victor Gruno</li>
<li>ianh : Ian Holsman</li>
-<li>igalic : Igor Galić</li>
+<li>igalic : Igor Galić</li>
<li>jerenkrantz : Justin Erenkrantz</li>
<li>jfclere : Jean-Frederic Clere</li>
<li>jim : Jim Jagielski</li>
@@ -201,7 +201,7 @@ Server were contributed by</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/docs-project/docsformat.html b/output/docs-project/docsformat.html
index 4ad9072..1510dde 100644
--- a/output/docs-project/docsformat.html
+++ b/output/docs-project/docsformat.html
@@ -194,7 +194,7 @@ substitution table may be a better solution.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/docs-project/goingfurther.html b/output/docs-project/goingfurther.html
index c3f05d8..9c172d0 100644
--- a/output/docs-project/goingfurther.html
+++ b/output/docs-project/goingfurther.html
@@ -195,7 +195,7 @@ to generate HTML files from xml ones (see <a href="docsformat.html">this documen
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/docs-project/index.html b/output/docs-project/index.html
index 84f6a06..348a1a4 100644
--- a/output/docs-project/index.html
+++ b/output/docs-project/index.html
@@ -177,7 +177,7 @@ many people. We've listed them <a href="contributors.html">over here</a>.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/docs-project/svn.html b/output/docs-project/svn.html
index eaa0479..00f0e61 100644
--- a/output/docs-project/svn.html
+++ b/output/docs-project/svn.html
@@ -146,7 +146,7 @@ making. If it's in reference to a specific bug ticket, mention that, too.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/docs-project/translations.html b/output/docs-project/translations.html
index 4c6a94d..0228319 100644
--- a/output/docs-project/translations.html
+++ b/output/docs-project/translations.html
@@ -184,7 +184,7 @@ start.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/docs/index.html b/output/docs/index.html
index e7930fc..b2b2fc0 100644
--- a/output/docs/index.html
+++ b/output/docs/index.html
@@ -114,7 +114,7 @@ help to improve the docs.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/download.html b/output/download.html
index 7d5a6dc..304ece5 100644
--- a/output/download.html
+++ b/output/download.html
@@ -100,33 +100,33 @@ families of releases, are available from the
<a href="//httpd.apache.org/docs/current/platform/windows.html#down">a number of third party vendors</a>.</p>
<p>Stable Release - Latest Version:</p>
<ul>
-<li><a href="#apache24">2.4.54</a> (released 2022-06-08)</li>
+<li><a href="#apache24">2.4.55</a> (released 2023-01-17)</li>
</ul>
<p>If you are downloading the Win32 distribution, please read these <a href="[preferred]httpd/binaries/win32/README.html">important
notes</a>.</p>
-<h1 id="apache24">Apache HTTP Server 2.4.54 (httpd): 2.4.54 is the latest available version <span>2022-06-08</span><a class="headerlink" href="#apache24" title="Permalink">¶</a></h1>
+<h1 id="apache24">Apache HTTP Server 2.4.55 (httpd): 2.4.55 is the latest available version <span>2023-01-17</span><a class="headerlink" href="#apache24" title="Permalink">¶</a></h1>
<p>The Apache HTTP Server Project is pleased to
<a href="//downloads.apache.org/httpd/Announcement2.4.txt">announce</a> the
-release of version 2.4.54 of the Apache HTTP Server ("Apache" and "httpd").
+release of version 2.4.55 of the Apache HTTP Server ("Apache" and "httpd").
This version of Apache is our latest GA release of the new generation 2.4.x
branch of Apache HTTPD and represents fifteen years of innovation by the
project, and is recommended over all previous releases!</p>
<p>For details, see the <a href="//downloads.apache.org/httpd/Announcement2.4.html">Official
Announcement</a> and
the <a href="[preferred]httpd/CHANGES_2.4">CHANGES_2.4</a> and
-<a href="[preferred]httpd/CHANGES_2.4.54">CHANGES_2.4.54</a> lists.</p>
+<a href="[preferred]httpd/CHANGES_2.4.55">CHANGES_2.4.55</a> lists.</p>
<ul>
<li>
-<p>Source: <a href="[preferred]httpd/httpd-2.4.54.tar.bz2">httpd-2.4.54.tar.bz2</a>
-[ <a href="https://downloads.apache.org/httpd/httpd-2.4.54.tar.bz2.asc">PGP</a> ] [
-<a href="https://downloads.apache.org/httpd/httpd-2.4.54.tar.bz2.sha256">SHA256</a> ] [
-<a href="https://downloads.apache.org/httpd/httpd-2.4.54.tar.bz2.sha512">SHA512</a> ]</p>
+<p>Source: <a href="[preferred]httpd/httpd-2.4.55.tar.bz2">httpd-2.4.55.tar.bz2</a>
+[ <a href="https://downloads.apache.org/httpd/httpd-2.4.55.tar.bz2.asc">PGP</a> ] [
+<a href="https://downloads.apache.org/httpd/httpd-2.4.55.tar.bz2.sha256">SHA256</a> ] [
+<a href="https://downloads.apache.org/httpd/httpd-2.4.55.tar.bz2.sha512">SHA512</a> ]</p>
</li>
<li>
-<p>Source: <a href="[preferred]httpd/httpd-2.4.54.tar.gz">httpd-2.4.54.tar.gz</a> [
-<a href="https://downloads.apache.org/httpd/httpd-2.4.54.tar.gz.asc">PGP</a> ] [
-<a href="https://downloads.apache.org/httpd/httpd-2.4.54.tar.gz.sha256">SHA256</a> ] [
-<a href="https://downloads.apache.org/httpd/httpd-2.4.54.tar.gz.sha512">SHA512</a> ]</p>
+<p>Source: <a href="[preferred]httpd/httpd-2.4.55.tar.gz">httpd-2.4.55.tar.gz</a> [
+<a href="https://downloads.apache.org/httpd/httpd-2.4.55.tar.gz.asc">PGP</a> ] [
+<a href="https://downloads.apache.org/httpd/httpd-2.4.55.tar.gz.sha256">SHA256</a> ] [
+<a href="https://downloads.apache.org/httpd/httpd-2.4.55.tar.gz.sha512">SHA512</a> ]</p>
</li>
<li>
<p><a href="[preferred]httpd/binaries/">Binaries</a></p>
@@ -232,7 +232,7 @@ verify our releases and how to do it.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/index.html b/output/index.html
index 5868fd1..30c7dec 100644
--- a/output/index.html
+++ b/output/index.html
@@ -96,16 +96,16 @@ standards.</p>
April 1996. It has celebrated its 25th birthday as a project in February 2020.</p>
<p>The Apache HTTP Server is a project of <a href="http://www.apache.org/">The Apache Software
Foundation</a>.</p>
-<h1 id="apache-httpd-2454-released-2022-06-08">Apache httpd 2.4.54 Released <span>2022-06-08</span><a class="headerlink" href="#apache-httpd-2454-released-2022-06-08" title="Permalink">¶</a></h1>
+<h1 id="apache-httpd-2455-released-2023-01-17">Apache httpd 2.4.55 Released <span>2023-01-17</span><a class="headerlink" href="#apache-httpd-2455-released-2023-01-17" title="Permalink">¶</a></h1>
<p>The Apache Software Foundation and the Apache HTTP Server Project are
pleased to
<a href="http://downloads.apache.org/httpd/Announcement2.4.html">announce</a> the
-release of version 2.4.54 of the Apache HTTP Server ("httpd").</p>
+release of version 2.4.55 of the Apache HTTP Server ("httpd").</p>
<p>This latest release from the 2.4.x stable branch represents the best available
version of Apache HTTP Server.</p>
<p>Apache HTTP Server version 2.<span>4</span>.43 or newer is required in order to operate a TLS 1.3 web server with OpenSSL 1.1.1.</p>
-<p class="centered"><a href="download.cgi#apache24">Download</a> | <a href="http://downloads.apache.org/httpd/CHANGES_2.4.54">ChangeLog for
-2.4.54</a> | <a href="http://downloads.apache.org/httpd/CHANGES_2.4">Complete ChangeLog for
+<p class="centered"><a href="download.cgi#apache24">Download</a> | <a href="http://downloads.apache.org/httpd/CHANGES_2.4.55">ChangeLog for
+2.4.55</a> | <a href="http://downloads.apache.org/httpd/CHANGES_2.4">Complete ChangeLog for
2.4</a> | <a href="docs/trunk/new_features_2_4.html">New Features in httpd
2.4</a></p>
<h1 id="apache-httpd-22-end-of-life-2018-01-01">Apache httpd 2.2 End-of-Life <span>2018-01-01</span><a class="headerlink" href="#apache-httpd-22-end-of-life-2018-01-01" title="Permalink">¶</a></h1>
@@ -127,7 +127,7 @@ PGP or MD5 signatures.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/info/index.html b/output/info/index.html
index 45739d7..83e48d5 100644
--- a/output/info/index.html
+++ b/output/info/index.html
@@ -105,7 +105,7 @@ setup your site as an Apache mirror.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/lists.html b/output/lists.html
index a647c2b..0d30d1f 100644
--- a/output/lists.html
+++ b/output/lists.html
@@ -393,7 +393,7 @@ development questions to the <a href="#http-dev">Main Development Discussion Lis
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/mod_fcgid/index.html b/output/mod_fcgid/index.html
index 69caf50..b500da8 100644
--- a/output/mod_fcgid/index.html
+++ b/output/mod_fcgid/index.html
@@ -133,7 +133,7 @@ Apache HTTP Server subproject in 2009, shepherded by Chris Darroch
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/mod_ftp/index.html b/output/mod_ftp/index.html
index f555cf6..f3b04d1 100644
--- a/output/mod_ftp/index.html
+++ b/output/mod_ftp/index.html
@@ -129,7 +129,7 @@ Project in 2007.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/mod_mbox/index.html b/output/mod_mbox/index.html
index 7821c4f..7dda716 100644
--- a/output/mod_mbox/index.html
+++ b/output/mod_mbox/index.html
@@ -144,7 +144,7 @@ while Maxime worked on improving the module's user interface.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/mod_mbox/install.html b/output/mod_mbox/install.html
index 86d36e3..574f59c 100644
--- a/output/mod_mbox/install.html
+++ b/output/mod_mbox/install.html
@@ -166,7 +166,7 @@ information on these directives.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/mod_mbox/ref.html b/output/mod_mbox/ref.html
index f9af2d4..e66020d 100644
--- a/output/mod_mbox/ref.html
+++ b/output/mod_mbox/ref.html
@@ -142,7 +142,7 @@ obfuscation, thus avoiding spam to mailing list users. For exemple,
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/mod_smtpd/index.html b/output/mod_smtpd/index.html
index b2a8f45..a2e2a5b 100644
--- a/output/mod_smtpd/index.html
+++ b/output/mod_smtpd/index.html
@@ -143,7 +143,7 @@ commit logs for httpd, including mod_mbox (
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/mod_smtpd/install.html b/output/mod_smtpd/install.html
index a15cbb2..f0a6e25 100644
--- a/output/mod_smtpd/install.html
+++ b/output/mod_smtpd/install.html
@@ -131,7 +131,7 @@ configuration here<br/></VirtualHost
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/modules/index.html b/output/modules/index.html
index c1eb3cf..9232182 100644
--- a/output/modules/index.html
+++ b/output/modules/index.html
@@ -256,7 +256,7 @@ Placeholder</a></li>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/security/impact_levels.html b/output/security/impact_levels.html
index 0202b85..9365b51 100644
--- a/output/security/impact_levels.html
+++ b/output/security/impact_levels.html
@@ -127,7 +127,7 @@ exploit gives minimal consequences.</p>
<!-- FOOTER -->
<div id="footer">
- <p>Copyright © 1997-2022 The Apache Software Foundation.<br />
+ <p>Copyright © 1997-2023 The Apache Software Foundation.<br />
Apache HTTP Server, Apache, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</div>
</div>
diff --git a/output/security/json/CVE-2006-20001.json b/output/security/json/CVE-2006-20001.json
new file mode 100644
index 0000000..e054b0a
--- /dev/null
+++ b/output/security/json/CVE-2006-20001.json
@@ -0,0 +1,110 @@
+{
+ "cveMetadata": {
+ "cveId": "CVE-2006-20001",
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "CNA_private": {
+ "emailed": null,
+ "projecturl": "https://httpd.apache.org/",
+ "owner": "httpd",
+ "userslist": "users@httpd.apache.org",
+ "state": "REVIEW",
+ "todo": [],
+ "type": "unsure"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "title": "mod_dav out of bounds read, or write of zero byte",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "CWE-787 Out-of-bounds Write",
+ "lang": "en",
+ "cweId": "CWE-787",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "affected": [
+ {
+ "vendor": "Apache Software Foundation",
+ "product": "Apache HTTP Server",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "2.4",
+ "lessThanOrEqual": "2.4.54",
+ "versionType": "semver"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "descriptions": [
+ {
+ "value": "A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.\n\nThis issue affects Apache HTTP Server 2.4.54 and earlier.\n",
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "type": "text/html",
+ "base64": false,
+ "value": "A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.<br><br>This issue affects Apache HTTP Server 2.4.54 and earlier.<br>"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://httpd.apache.org/security/vulnerabilities_24.html",
+ "tags": [
+ "vendor-advisory"
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "other": {
+ "type": "Textual description of severity",
+ "content": {
+ "text": "moderate"
+ }
+ }
+ }
+ ],
+ "timeline": [
+ {
+ "time": "2006-10-31T19:00:00.000Z",
+ "lang": "en",
+ "value": "Described in first edition of \"The Art of Software Security Assessment\""
+ },
+ {
+ "time": "2022-08-10T19:00:00.000Z",
+ "lang": "en",
+ "value": "Reported to security team"
+ }
+ ],
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2023-01-17",
+ "value": "2.4.55 released"
+ }
+ ]
+}
diff --git a/output/security/json/CVE-2022-36760.json b/output/security/json/CVE-2022-36760.json
new file mode 100644
index 0000000..206019b
--- /dev/null
+++ b/output/security/json/CVE-2022-36760.json
@@ -0,0 +1,103 @@
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "defaultStatus": "unaffected",
+ "product": "Apache HTTP Server",
+ "vendor": "Apache Software Foundation",
+ "versions": [
+ {
+ "lessThanOrEqual": "2.4.54",
+ "status": "affected",
+ "version": "2.4",
+ "versionType": "semver"
+ }
+ ]
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "type": "finder",
+ "value": "ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group"
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions."
+ }
+ ],
+ "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions."
+ }
+ ],
+ "metrics": [
+ {
+ "other": {
+ "content": {
+ "text": "moderate"
+ },
+ "type": "Textual description of severity"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-444",
+ "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "references": [
+ {
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
+ }
+ ],
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "en",
+ "time": "2022-07-12T15:00:00.000Z",
+ "value": "Reported to security team"
+ }
+ ],
+ "title": "Apache HTTP Server: mod_proxy_ajp Possible request smuggling",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "cveId": "CVE-2022-36760",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2023-01-17",
+ "value": "2.4.55 released"
+ }
+ ]
+}
diff --git a/output/security/json/CVE-2022-37436.json b/output/security/json/CVE-2022-37436.json
new file mode 100644
index 0000000..28b89f7
--- /dev/null
+++ b/output/security/json/CVE-2022-37436.json
@@ -0,0 +1,88 @@
+{
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "defaultStatus": "unaffected",
+ "product": "Apache HTTP Server",
+ "vendor": "Apache Software Foundation",
+ "versions": [
+ {
+ "lessThan": "2.4.55",
+ "status": "affected",
+ "version": "0",
+ "versionType": "semver"
+ }
+ ]
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "type": "finder",
+ "value": "Dimas Fariski Setyawan Putra (@nyxsorcerer)"
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client."
+ }
+ ],
+ "value": "Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client."
+ }
+ ],
+ "metrics": [
+ {
+ "other": {
+ "content": {
+ "text": "moderate"
+ },
+ "type": "Textual description of severity"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-113",
+ "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "title": "Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "cveId": "CVE-2022-37436",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2023-01-17",
+ "value": "2.4.55 released"
+ }
+ ]
+}
diff --git a/output/security/vulnerabilities-httpd.json b/output/security/vulnerabilities-httpd.json
index e93a0a3..b3df422 100644
--- a/output/security/vulnerabilities-httpd.json
+++ b/output/security/vulnerabilities-httpd.json
@@ -9,19 +9,19 @@
"references": {},
"timeline": [
{
- "time": "2005-08-30",
+ "time": "2003-04-30",
"lang": "eng",
"value": "reported"
},
{
- "time": "2005-08-30",
+ "time": "2003-07-09",
"lang": "eng",
"value": "public"
},
{
- "time": "2005-10-14",
+ "time": "2003-07-09",
"lang": "eng",
- "value": "2.0.55 released"
+ "value": "2.0.47 released"
}
],
"CNA_private": {
@@ -31,9 +31,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2005-08-30",
- "ID": "CVE-2005-2700",
- "TITLE": "SSLVerifyClient bypass"
+ "DATE_PUBLIC": "2003-07-09",
+ "ID": "CVE-2003-0192",
+ "TITLE": "mod_ssl renegotiation issue"
},
"source": {
"defect": [],
@@ -46,7 +46,7 @@
"description": [
{
"lang": "eng",
- "value": "SSLVerifyClient bypass"
+ "value": "mod_ssl renegotiation issue"
}
]
}
@@ -56,13 +56,13 @@
"description_data": [
{
"lang": "eng",
- "value": "A flaw in the mod_ssl handling of the \"SSLVerifyClient\" directive. This flaw would occur if a virtual host has been configured using \"SSLVerifyClient optional\" and further a directive \"SSLVerifyClient required\" is set for a specific location. For servers configured in this fashion, an attacker may be able to access resources that should otherwise be protected, by not supplying a client certificate when connecting."
+ "value": "A bug in the optional renegotiation code in mod_ssl included with Apache httpd can cause cipher suite restrictions to be ignored. This is triggered if optional renegotiation is used (SSLOptions +OptRenegotiate) along with verification of client certificates and a change to the cipher suite over the renegotiation."
}
]
},
"impact": [
{
- "other": "important"
+ "other": "low"
}
],
"affects": {
@@ -76,46 +76,6 @@
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.54"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.53"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.52"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.51"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.50"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.49"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.48"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.47"
- },
{
"version_name": "2.0",
"version_affected": "=",
@@ -186,19 +146,19 @@
"references": {},
"timeline": [
{
- "time": "2019-01-23",
+ "time": "2019-01-01",
"lang": "eng",
"value": "reported"
},
{
- "time": "2019-04-01",
+ "time": "2019-01-22",
"lang": "eng",
"value": "public"
},
{
- "time": "2019-04-01",
+ "time": "2019-02-28",
"lang": "eng",
- "value": "2.4.39 released"
+ "value": "2.4.38 released"
}
],
"CNA_private": {
@@ -208,9 +168,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2019-04-01",
- "ID": "CVE-2019-0215",
- "TITLE": "mod_ssl access control bypass"
+ "DATE_PUBLIC": "2019-01-22",
+ "ID": "CVE-2019-0190",
+ "TITLE": "mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1"
},
"source": {
"defect": [],
@@ -223,7 +183,7 @@
"description": [
{
"lang": "eng",
- "value": "mod_ssl access control bypass"
+ "value": "mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1"
}
]
}
@@ -232,14 +192,14 @@
"credit": [
{
"lang": "eng",
- "value": "The issue was discovered by Michael Kaufmann."
+ "value": "The issue was discovered through user bug reports."
}
],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions."
+ "value": "A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts."
}
]
},
@@ -259,11 +219,6 @@
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.38"
- },
{
"version_name": "2.4",
"version_affected": "=",
@@ -289,19 +244,19 @@
"references": {},
"timeline": [
{
- "time": "2009-06-26",
+ "time": "2010-03-03",
"lang": "eng",
"value": "reported"
},
{
- "time": "2009-06-26",
+ "time": "2010-10-01",
"lang": "eng",
"value": "public"
},
{
- "time": "2009-07-27",
+ "time": "2010-10-19",
"lang": "eng",
- "value": "2.2.12 released"
+ "value": "2.2.17 released"
},
{
"time": "2010-10-19",
@@ -316,9 +271,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2009-06-26",
- "ID": "CVE-2009-1891",
- "TITLE": "mod_deflate DoS"
+ "DATE_PUBLIC": "2010-10-01",
+ "ID": "CVE-2010-1623",
+ "TITLE": "apr_bridage_split_line DoS"
},
"source": {
"defect": [],
@@ -331,7 +286,7 @@
"description": [
{
"lang": "eng",
- "value": "mod_deflate DoS"
+ "value": "apr_bridage_split_line DoS"
}
]
}
@@ -341,7 +296,7 @@
"description_data": [
{
"lang": "eng",
- "value": "A denial of service flaw was found in the mod_deflate module. This module continued to compress large files until compression was complete, even if the network connection that requested the content was closed before compression completed. This would cause mod_deflate to consume large amounts of CPU if mod_deflate was enabled for a large file."
+ "value": "A flaw was found in the apr_brigade_split_line() function of the bundled APR-util library, used to process non-SSL requests. A remote attacker could send requests, carefully crafting the timing of individual bytes, which would slowly consume memory, potentially leading to a denial of service."
}
]
},
@@ -361,6 +316,31 @@
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.16"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.15"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.14"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.13"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.12"
+ },
{
"version_name": "2.2",
"version_affected": "=",
@@ -546,24 +526,19 @@
"references": {},
"timeline": [
{
- "time": "2011-12-30",
+ "time": "2013-03-05",
"lang": "eng",
"value": "reported"
},
{
- "time": "2012-01-11",
+ "time": "2018-03-21",
"lang": "eng",
"value": "public"
},
{
- "time": "2012-01-31",
- "lang": "eng",
- "value": "2.2.22 released"
- },
- {
- "time": "2013-07-22",
+ "time": "2018-03-21",
"lang": "eng",
- "value": "2.0.65 released"
+ "value": "2.4.33 released"
}
],
"CNA_private": {
@@ -573,9 +548,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2012-01-11",
- "ID": "CVE-2012-0031",
- "TITLE": "scoreboard parent DoS"
+ "DATE_PUBLIC": "2018-03-21",
+ "ID": "CVE-2018-1312",
+ "TITLE": "Weak Digest auth nonce generation in mod_auth_digest"
},
"source": {
"defect": [],
@@ -588,7 +563,7 @@
"description": [
{
"lang": "eng",
- "value": "scoreboard parent DoS"
+ "value": "Weak Digest auth nonce generation in mod_auth_digest"
}
]
}
@@ -597,14 +572,14 @@
"credit": [
{
"lang": "eng",
- "value": "This issue was reported by halfdog"
+ "value": "The issue was discovered by Nicolas Daniels."
}
],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "A flaw was found in the handling of the scoreboard. An unprivileged child process could cause the parent process to crash at shutdown rather than terminate cleanly."
+ "value": "When generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection."
}
]
},
@@ -625,224 +600,99 @@
"version": {
"version_data": [
{
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.21"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.20"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.19"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.18"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.17"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.16"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.15"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.14"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.13"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.12"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.11"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.10"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.9"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.8"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.6"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.5"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.4"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.3"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.2"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.0"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.64"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.63"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.61"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.59"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.58"
- },
- {
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.55"
+ "version_value": "2.4.29"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.54"
+ "version_value": "2.4.28"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.53"
+ "version_value": "2.4.27"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.52"
+ "version_value": "2.4.26"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.51"
+ "version_value": "2.4.25"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.50"
+ "version_value": "2.4.23"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.49"
+ "version_value": "2.4.20"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.48"
+ "version_value": "2.4.18"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.47"
+ "version_value": "2.4.17"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.46"
+ "version_value": "2.4.16"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.45"
+ "version_value": "2.4.12"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.44"
+ "version_value": "2.4.10"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.43"
+ "version_value": "2.4.9"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.42"
+ "version_value": "2.4.7"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.40"
+ "version_value": "2.4.6"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.39"
+ "version_value": "2.4.4"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.37"
+ "version_value": "2.4.3"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.36"
+ "version_value": "2.4.2"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.35"
+ "version_value": "2.4.1"
}
]
}
@@ -854,6 +704,93 @@
}
}
},
+ {
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2021-34798",
+ "STATE": "READY",
+ "TITLE": "NULL pointer dereference in httpd core"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.48"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "The issue was discovered by the Apache HTTP security team"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Malformed requests may cause the server to dereference a NULL pointer.\n\n\nThis issue affects Apache HTTP Server 2.4.48 and earlier."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "moderate"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-476 NULL Pointer Dereference"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2021-09-16",
+ "value": "2.4.49 released"
+ }
+ ]
+ },
{
"data_type": "CVE",
"data_format": "MITRE",
@@ -864,19 +801,24 @@
"references": {},
"timeline": [
{
- "time": "2009-08-05",
+ "time": "2013-09-06",
"lang": "eng",
"value": "reported"
},
{
- "time": "2009-09-23",
+ "time": "2013-10-19",
"lang": "eng",
"value": "public"
},
{
- "time": "2009-10-05",
+ "time": "2015-01-30",
"lang": "eng",
- "value": "2.2.14 released"
+ "value": "2.4.12 released"
+ },
+ {
+ "time": "2014-09-03",
+ "lang": "eng",
+ "value": "2.2.29 released"
}
],
"CNA_private": {
@@ -886,9 +828,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2009-09-23",
- "ID": "CVE-2009-2699",
- "TITLE": "Solaris pollset DoS"
+ "DATE_PUBLIC": "2013-10-19",
+ "ID": "CVE-2013-5704",
+ "TITLE": "HTTP Trailers processing bypass"
},
"source": {
"defect": [],
@@ -901,23 +843,29 @@
"description": [
{
"lang": "eng",
- "value": "Solaris pollset DoS"
+ "value": "HTTP Trailers processing bypass"
}
]
}
]
},
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "This issue was reported by Martin Holst Swende."
+ }
+ ],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "Faulty error handling was found affecting Solaris pollset support (Event Port backend) caused by a bug in APR. A remote attacker could trigger this issue on Solaris servers which used prefork or event MPMs, resulting in a denial of service."
+ "value": "HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. This fix adds the \"MergeTrailers\" directive to restore legacy behavior."
}
]
},
"impact": [
{
- "other": "moderate"
+ "other": "low"
}
],
"affects": {
@@ -932,65 +880,175 @@
"version": {
"version_data": [
{
- "version_name": "2.2",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.2.13"
+ "version_value": "2.4.10"
},
{
- "version_name": "2.2",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.2.12"
+ "version_value": "2.4.9"
},
{
- "version_name": "2.2",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.2.11"
+ "version_value": "2.4.7"
},
{
- "version_name": "2.2",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.2.10"
+ "version_value": "2.4.6"
},
{
- "version_name": "2.2",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.2.9"
+ "version_value": "2.4.4"
},
{
- "version_name": "2.2",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.2.8"
+ "version_value": "2.4.3"
},
{
- "version_name": "2.2",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.2.6"
+ "version_value": "2.4.2"
},
{
- "version_name": "2.2",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.2.5"
+ "version_value": "2.4.1"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.4"
+ "version_value": "2.2.27"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.3"
+ "version_value": "2.2.26"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.2"
+ "version_value": "2.2.25"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.0"
- }
+ "version_value": "2.2.24"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.23"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.22"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.21"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.20"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.19"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.18"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.17"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.16"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.15"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.14"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.13"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.12"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.11"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.10"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.9"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.8"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.6"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.5"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.4"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.3"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.2"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.0"
+ }
]
}
}
@@ -1011,19 +1069,19 @@
"references": {},
"timeline": [
{
- "time": "2019-12-05",
+ "time": "2005-08-30",
"lang": "eng",
"value": "reported"
},
{
- "time": "2020-04-01",
+ "time": "2005-08-30",
"lang": "eng",
"value": "public"
},
{
- "time": "2020-04-01",
+ "time": "2005-10-14",
"lang": "eng",
- "value": "2.4.42 released"
+ "value": "2.0.55 released"
}
],
"CNA_private": {
@@ -1033,9 +1091,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2020-04-01",
- "ID": "CVE-2020-1927",
- "TITLE": "mod_rewrite CWE-601 open redirect"
+ "DATE_PUBLIC": "2005-08-30",
+ "ID": "CVE-2005-2700",
+ "TITLE": "SSLVerifyClient bypass"
},
"source": {
"defect": [],
@@ -1048,29 +1106,23 @@
"description": [
{
"lang": "eng",
- "value": "mod_rewrite CWE-601 open redirect"
+ "value": "SSLVerifyClient bypass"
}
]
}
]
},
- "credit": [
- {
- "lang": "eng",
- "value": "The issue was discovered by Fabrice Perez"
- }
- ],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "In Apache HTTP Server versions 2.4.0 to 2.4.41 some mod_rewrite configurations vulnerable to open redirect."
+ "value": "A flaw in the mod_ssl handling of the \"SSLVerifyClient\" directive. This flaw would occur if a virtual host has been configured using \"SSLVerifyClient optional\" and further a directive \"SSLVerifyClient required\" is set for a specific location. For servers configured in this fashion, an attacker may be able to access resources that should otherwise be protected, by not supplying a client certificate when connecting."
}
]
},
"impact": [
{
- "other": "low"
+ "other": "important"
}
],
"affects": {
@@ -1085,149 +1137,94 @@
"version": {
"version_data": [
{
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.41"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.40"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.39"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.38"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.37"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.35"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.34"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.33"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.30"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.29"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.28"
- },
- {
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.27"
+ "version_value": "2.0.54"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.26"
+ "version_value": "2.0.53"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.25"
+ "version_value": "2.0.52"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.23"
+ "version_value": "2.0.51"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.20"
+ "version_value": "2.0.50"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.18"
+ "version_value": "2.0.49"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.17"
+ "version_value": "2.0.48"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.16"
+ "version_value": "2.0.47"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.12"
+ "version_value": "2.0.46"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.10"
+ "version_value": "2.0.45"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.9"
+ "version_value": "2.0.44"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.7"
+ "version_value": "2.0.43"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.6"
+ "version_value": "2.0.42"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.4"
+ "version_value": "2.0.40"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.3"
+ "version_value": "2.0.39"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.2"
+ "version_value": "2.0.37"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.1"
+ "version_value": "2.0.36"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.0"
+ "version_value": "2.0.35"
}
]
}
@@ -1249,19 +1246,14 @@
"references": {},
"timeline": [
{
- "time": "2013-08-05",
- "lang": "eng",
- "value": "reported"
- },
- {
- "time": "2015-06-09",
+ "time": "2002-04-22",
"lang": "eng",
"value": "public"
},
{
- "time": "2015-07-15",
+ "time": "2002-05-08",
"lang": "eng",
- "value": "2.4.16 released"
+ "value": "2.0.36 released"
}
],
"CNA_private": {
@@ -1271,9 +1263,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2015-06-09",
- "ID": "CVE-2015-3185",
- "TITLE": "ap_some_auth_required API unusable"
+ "DATE_PUBLIC": "2002-04-22",
+ "ID": "CVE-2002-1592",
+ "TITLE": "Warning messages could be displayed to users"
},
"source": {
"defect": [],
@@ -1286,23 +1278,17 @@
"description": [
{
"lang": "eng",
- "value": "ap_some_auth_required API unusable"
+ "value": "Warning messages could be displayed to users"
}
]
}
]
},
- "credit": [
- {
- "lang": "eng",
- "value": "This issue was reported by Ben Reser."
- }
- ],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "A design error in the \"ap_some_auth_required\" function renders the API unusuable in httpd 2.4.x. In particular the API is documented to answering if the request required authentication but only answers if there are Require lines in the applicable configuration. Since 2.4.x Require lines are used for authorization as well and can appear in configurations even when no authentication is required and the request is entirely unrestricted. This could lead to mod [...]
+ "value": "In some cases warning messages could get returned to end users in addition to being recorded in the error log. This could reveal the path to a CGI script for example, a minor security exposure."
}
]
},
@@ -1323,59 +1309,9 @@
"version": {
"version_data": [
{
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.12"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.10"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.9"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.7"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.6"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.5"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.4"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.3"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.2"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.1"
- },
- {
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.0"
+ "version_value": "2.0.35"
}
]
}
@@ -1387,93 +1323,6 @@
}
}
},
- {
- "CVE_data_meta": {
- "ASSIGNER": "security@apache.org",
- "ID": "CVE-2021-40438",
- "STATE": "READY",
- "TITLE": "mod_proxy SSRF"
- },
- "affects": {
- "vendor": {
- "vendor_data": [
- {
- "product": {
- "product_data": [
- {
- "product_name": "Apache HTTP Server",
- "version": {
- "version_data": [
- {
- "version_affected": "<=",
- "version_name": "Apache HTTP Server 2.4",
- "version_value": "2.4.48"
- }
- ]
- }
- }
- ]
- },
- "vendor_name": "Apache Software Foundation"
- }
- ]
- }
- },
- "credit": [
- {
- "lang": "eng",
- "value": "The issue was discovered by the Apache HTTP security team while analysing CVE-2021-36160"
- }
- ],
- "data_format": "MITRE",
- "data_type": "CVE",
- "data_version": "4.0",
- "description": {
- "description_data": [
- {
- "lang": "eng",
- "value": "A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user.\n\nThis issue affects Apache HTTP Server 2.4.48 and earlier."
- }
- ]
- },
- "generator": {
- "engine": "Vulnogram 0.0.9"
- },
- "impact": [
- {
- "other": "important"
- }
- ],
- "problemtype": {
- "problemtype_data": [
- {
- "description": [
- {
- "lang": "eng",
- "value": "CWE-918 Server Side Request Forgery (SSRF)"
- }
- ]
- }
- ]
- },
- "references": {
- "reference_data": [
- {
- "refsource": "CONFIRM"
- }
- ]
- },
- "source": {
- "discovery": "UNKNOWN"
- },
- "timeline": [
- {
- "lang": "eng",
- "time": "2021-09-16",
- "value": "2.4.49 released"
- }
- ]
- },
{
"data_type": "CVE",
"data_format": "MITRE",
@@ -1484,9 +1333,29 @@
"references": {},
"timeline": [
{
- "time": "2005-10-14",
+ "time": "2007-12-15",
"lang": "eng",
- "value": "2.0.55 released"
+ "value": "reported"
+ },
+ {
+ "time": "2008-01-02",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2008-01-19",
+ "lang": "eng",
+ "value": "2.2.8 released"
+ },
+ {
+ "time": "2008-01-19",
+ "lang": "eng",
+ "value": "2.0.63 released"
+ },
+ {
+ "time": "2008-01-19",
+ "lang": "eng",
+ "value": "1.3.41 released"
}
],
"CNA_private": {
@@ -1496,8 +1365,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "ID": "CVE-2005-2970",
- "TITLE": "Worker MPM memory leak"
+ "DATE_PUBLIC": "2008-01-02",
+ "ID": "CVE-2007-6388",
+ "TITLE": "mod_status XSS"
},
"source": {
"defect": [],
@@ -1510,7 +1380,7 @@
"description": [
{
"lang": "eng",
- "value": "Worker MPM memory leak"
+ "value": "mod_status XSS"
}
]
}
@@ -1520,13 +1390,13 @@
"description_data": [
{
"lang": "eng",
- "value": "A memory leak in the worker MPM would allow remote attackers to cause a denial of service (memory consumption) via aborted connections, which prevents the memory for the transaction pool from being reused for other connections. This issue was downgraded in severity to low (from moderate) as sucessful exploitation of the race condition would be difficult."
+ "value": "A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available."
}
]
},
"impact": [
{
- "other": "low"
+ "other": "moderate"
}
],
"affects": {
@@ -1541,89 +1411,269 @@
"version": {
"version_data": [
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.54"
+ "version_value": "2.2.6"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.53"
+ "version_value": "2.2.5"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.52"
+ "version_value": "2.2.4"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.51"
+ "version_value": "2.2.3"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.50"
+ "version_value": "2.2.2"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.49"
+ "version_value": "2.2.0"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.48"
+ "version_value": "2.0.61"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.47"
+ "version_value": "2.0.59"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.46"
+ "version_value": "2.0.58"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.45"
+ "version_value": "2.0.55"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.44"
+ "version_value": "2.0.54"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.43"
+ "version_value": "2.0.53"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.42"
+ "version_value": "2.0.52"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.40"
+ "version_value": "2.0.51"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.39"
+ "version_value": "2.0.50"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.37"
+ "version_value": "2.0.49"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.48"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.47"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.46"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.45"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.44"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.43"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.42"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.40"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.39"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.37"
},
{
"version_name": "2.0",
"version_affected": "=",
"version_value": "2.0.36"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.35"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.39"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.37"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.36"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.35"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.34"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.33"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.32"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.31"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.29"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.28"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.27"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.26"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.24"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.22"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.20"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.19"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.17"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.14"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.12"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.11"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.9"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.6"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.4"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.3"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.2"
}
]
}
@@ -1645,9 +1695,19 @@
"references": {},
"timeline": [
{
- "time": "2001-02-28",
+ "time": "2019-01-29",
"lang": "eng",
- "value": "1.3.19 released"
+ "value": "reported"
+ },
+ {
+ "time": "2019-04-01",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2019-04-01",
+ "lang": "eng",
+ "value": "2.4.39 released"
}
],
"CNA_private": {
@@ -1657,8 +1717,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "ID": "CVE-2001-0925",
- "TITLE": "Requests can cause directory listing to be displayed"
+ "DATE_PUBLIC": "2019-04-01",
+ "ID": "CVE-2019-0197",
+ "TITLE": "mod_http2, possible crash on late upgrade"
},
"source": {
"defect": [],
@@ -1671,23 +1732,29 @@
"description": [
{
"lang": "eng",
- "value": "Requests can cause directory listing to be displayed"
+ "value": "mod_http2, possible crash on late upgrade"
}
]
}
]
},
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "The issue was discovered by Stefan Eissing, greenbytes.de."
+ }
+ ],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "The default installation can lead mod_negotiation and mod_dir or mod_autoindex to display a directory listing instead of the multiview index.html file if a very long path was created artificially by using many slashes."
+ "value": "When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for https: and did not configure the \"H2Upgrade on\" is unaffected by this."
}
]
},
"impact": [
{
- "other": "important"
+ "other": "low"
}
],
"affects": {
@@ -1702,24 +1769,24 @@
"version": {
"version_data": [
{
- "version_name": "1.3",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "1.3.17"
+ "version_value": "2.4.38"
},
{
- "version_name": "1.3",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "1.3.14"
+ "version_value": "2.4.37"
},
{
- "version_name": "1.3",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "1.3.12"
+ "version_value": "2.4.35"
},
{
- "version_name": "1.3",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "1.3.11"
+ "version_value": "2.4.34"
}
]
}
@@ -1731,6 +1798,234 @@
}
}
},
+ {
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "CVE_data_meta": {
+ "ID": "CVE-2022-29404",
+ "ASSIGNER": "security@apache.org",
+ "DATE_PUBLIC": "",
+ "TITLE": "Denial of service in mod_lua r:parsebody",
+ "AKA": "",
+ "STATE": "REVIEW"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "",
+ "version_affected": "<=",
+ "version_value": "2.4.53",
+ "platform": ""
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-770: Allocation of Resources Without Limits or Throttling"
+ }
+ ]
+ }
+ ]
+ },
+ "description": {
+ "description_data": [
+ {
+ "value": "In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.",
+ "lang": "eng"
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM",
+ "url": "",
+ "name": ""
+ }
+ ]
+ },
+ "configuration": [],
+ "impact": [
+ {
+ "other": "low"
+ }
+ ],
+ "exploit": [],
+ "work_around": [],
+ "solution": [],
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd",
+ "publish": {
+ "ym": "",
+ "year": "",
+ "month": ""
+ },
+ "share_with_CVE": true,
+ "CVE_table_description": [],
+ "CVE_list": [],
+ "internal_comments": "",
+ "todo": [],
+ "emailed": "",
+ "userslist": "",
+ "email": ""
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2022-06-08",
+ "value": "2.4.54 released"
+ }
+ ]
+ },
+ {
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "CVE_data_meta": {
+ "ID": "CVE-2022-28615",
+ "ASSIGNER": "security@apache.org",
+ "DATE_PUBLIC": "",
+ "TITLE": "Read beyond bounds in ap_strcmp_match()",
+ "AKA": "",
+ "STATE": "REVIEW"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "Apache HTTP Server",
+ "version_affected": "<=",
+ "version_value": "2.4.53",
+ "platform": ""
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-190 Integer Overflow or Wraparound"
+ }
+ ]
+ }
+ ]
+ },
+ "description": {
+ "description_data": [
+ {
+ "value": "Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.",
+ "lang": "eng"
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM",
+ "url": "",
+ "name": ""
+ }
+ ]
+ },
+ "configuration": [],
+ "impact": [
+ {
+ "other": "low"
+ }
+ ],
+ "exploit": [],
+ "work_around": [],
+ "solution": [],
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd",
+ "publish": {
+ "ym": "",
+ "year": "",
+ "month": ""
+ },
+ "share_with_CVE": true,
+ "CVE_table_description": [],
+ "CVE_list": [],
+ "internal_comments": "",
+ "todo": [],
+ "emailed": "",
+ "userslist": "",
+ "email": ""
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2022-06-08",
+ "value": "2.4.54 released"
+ }
+ ]
+ },
{
"data_type": "CVE",
"data_format": "MITRE",
@@ -1741,19 +2036,19 @@
"references": {},
"timeline": [
{
- "time": "2018-10-16",
+ "time": "2019-03-26",
"lang": "eng",
"value": "reported"
},
{
- "time": "2019-01-22",
+ "time": "2019-08-14",
"lang": "eng",
"value": "public"
},
{
- "time": "2019-02-28",
+ "time": "2019-08-14",
"lang": "eng",
- "value": "2.4.38 released"
+ "value": "2.4.41 released"
}
],
"CNA_private": {
@@ -1763,9 +2058,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2019-01-22",
- "ID": "CVE-2018-17189",
- "TITLE": "DoS for HTTP/2 connections via slow request bodies"
+ "DATE_PUBLIC": "2019-08-14",
+ "ID": "CVE-2019-10098",
+ "TITLE": "mod_rewrite potential open redirect"
},
"source": {
"defect": [],
@@ -1778,7 +2073,7 @@
"description": [
{
"lang": "eng",
- "value": "DoS for HTTP/2 connections via slow request bodies"
+ "value": "mod_rewrite potential open redirect"
}
]
}
@@ -1787,14 +2082,14 @@
"credit": [
{
"lang": "eng",
- "value": "The issue was discovered by Gal Goldshtein of F5 Networks."
+ "value": "The issue was discovered by Yukitsugu Sasaki"
}
],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol."
+ "value": "Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL."
}
]
},
@@ -1814,6 +2109,16 @@
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.39"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.38"
+ },
{
"version_name": "2.4",
"version_affected": "=",
@@ -1883,40 +2188,95 @@
"version_name": "2.4",
"version_affected": "=",
"version_value": "2.4.17"
- }
- ]
- }
- }
- ]
- }
- }
- ]
- }
- }
- },
- {
- "data_type": "CVE",
- "data_format": "MITRE",
- "data_version": "4.0",
- "generator": {
- "engine": "xmltojsonmjc 1.0"
- },
- "references": {},
- "timeline": [
- {
- "time": "2003-06-25",
- "lang": "eng",
- "value": "reported"
- },
- {
- "time": "2003-07-09",
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.16"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.12"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.10"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.9"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.7"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.6"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.4"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.3"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.2"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.1"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2013-05-29",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2013-07-22",
"lang": "eng",
"value": "public"
},
{
- "time": "2003-07-09",
+ "time": "2013-07-22",
"lang": "eng",
- "value": "2.0.47 released"
+ "value": "2.4.6 released"
}
],
"CNA_private": {
@@ -1926,9 +2286,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2003-07-09",
- "ID": "CVE-2003-0253",
- "TITLE": "Remote DoS with multiple Listen directives"
+ "DATE_PUBLIC": "2013-07-22",
+ "ID": "CVE-2013-2249",
+ "TITLE": "mod_session_dbd session fixation flaw"
},
"source": {
"defect": [],
@@ -1941,23 +2301,29 @@
"description": [
{
"lang": "eng",
- "value": "Remote DoS with multiple Listen directives"
+ "value": "mod_session_dbd session fixation flaw"
}
]
}
]
},
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "This issue was reported by Takashi Sato"
+ }
+ ],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "In a server with multiple listening sockets a certain error returned by accept() on a rarely access port can cause a temporary denial of service, due to a bug in the prefork MPM."
+ "value": "A flaw in mod_session_dbd caused it to proceed with save operations for a session without considering the dirty flag and the requirement for a new session ID."
}
]
},
"impact": [
{
- "other": "important"
+ "other": "moderate"
}
],
"affects": {
@@ -1972,54 +2338,24 @@
"version": {
"version_data": [
{
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.46"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.45"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.44"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.43"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.42"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.40"
- },
- {
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.39"
+ "version_value": "2.4.4"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.37"
+ "version_value": "2.4.3"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.36"
+ "version_value": "2.4.2"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.35"
+ "version_value": "2.4.1"
}
]
}
@@ -2041,19 +2377,24 @@
"references": {},
"timeline": [
{
- "time": "2019-02-22",
+ "time": "2016-02-10",
"lang": "eng",
"value": "reported"
},
{
- "time": "2019-04-01",
+ "time": "2016-12-20",
"lang": "eng",
"value": "public"
},
{
- "time": "2019-04-01",
+ "time": "2016-12-20",
"lang": "eng",
- "value": "2.4.39 released"
+ "value": "2.4.25 released"
+ },
+ {
+ "time": "2017-01-13",
+ "lang": "eng",
+ "value": "2.2.32 released"
}
],
"CNA_private": {
@@ -2063,9 +2404,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2019-04-01",
- "ID": "CVE-2019-0211",
- "TITLE": "Apache HTTP Server privilege escalation from modules' scripts"
+ "DATE_PUBLIC": "2016-12-20",
+ "ID": "CVE-2016-8743",
+ "TITLE": "Apache HTTP Request Parsing Whitespace Defects"
},
"source": {
"defect": [],
@@ -2078,7 +2419,7 @@
"description": [
{
"lang": "eng",
- "value": "Apache HTTP Server privilege escalation from modules' scripts"
+ "value": "Apache HTTP Request Parsing Whitespace Defects"
}
]
}
@@ -2087,14 +2428,14 @@
"credit": [
{
"lang": "eng",
- "value": "The issue was discovered by Charles Fol."
+ "value": "We would like to thank David Dennerline at IBM Security's X-Force Researchers as well as R\u00e9gis Leroy for each reporting this issue."
}
],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected."
+ "value": "Apache HTTP Server, prior to release 2.4.25 (and 2.2.32), accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines was treated as whitespace and remained in the request field member \"the_request\", while a bare CR in the request header field name would be honored as whitespace [...]
}
]
},
@@ -2117,77 +2458,212 @@
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.38"
+ "version_value": "2.4.23"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.37"
+ "version_value": "2.4.20"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.35"
+ "version_value": "2.4.18"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.34"
+ "version_value": "2.4.17"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.33"
+ "version_value": "2.4.16"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.30"
+ "version_value": "2.4.12"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.29"
+ "version_value": "2.4.10"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.28"
+ "version_value": "2.4.9"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.27"
+ "version_value": "2.4.7"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.26"
+ "version_value": "2.4.6"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.25"
+ "version_value": "2.4.4"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.23"
+ "version_value": "2.4.3"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.20"
+ "version_value": "2.4.2"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.18"
+ "version_value": "2.4.1"
},
{
- "version_name": "2.4",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.4.17"
+ "version_value": "2.2.31"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.29"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.27"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.26"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.25"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.24"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.23"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.22"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.21"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.20"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.19"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.18"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.17"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.16"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.15"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.14"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.13"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.12"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.11"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.10"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.9"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.8"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.6"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.5"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.4"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.3"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.2"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.0"
}
]
}
@@ -2209,24 +2685,19 @@
"references": {},
"timeline": [
{
- "time": "2002-09-20",
+ "time": "2009-06-06",
"lang": "eng",
"value": "reported"
},
{
- "time": "2002-10-02",
+ "time": "2009-06-01",
"lang": "eng",
"value": "public"
},
{
- "time": "2002-10-03",
- "lang": "eng",
- "value": "2.0.43 released"
- },
- {
- "time": "2002-10-03",
+ "time": "2009-07-27",
"lang": "eng",
- "value": "1.3.27 released"
+ "value": "2.2.12 released"
}
],
"CNA_private": {
@@ -2236,9 +2707,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2002-10-02",
- "ID": "CVE-2002-0840",
- "TITLE": "Error page XSS using wildcard DNS"
+ "DATE_PUBLIC": "2009-06-01",
+ "ID": "CVE-2009-1955",
+ "TITLE": "APR-util XML DoS"
},
"source": {
"defect": [],
@@ -2251,7 +2722,7 @@
"description": [
{
"lang": "eng",
- "value": "Error page XSS using wildcard DNS"
+ "value": "APR-util XML DoS"
}
]
}
@@ -2261,13 +2732,13 @@
"description_data": [
{
"lang": "eng",
- "value": "Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is \"Off\" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header."
+ "value": "A denial of service flaw was found in the bundled copy of the APR-util library Extensible Markup Language (XML) parser. A remote attacker could create a specially-crafted XML document that would cause excessive memory consumption when processed by the XML decoding engine."
}
]
},
"impact": [
{
- "other": "low"
+ "other": "moderate"
}
],
"affects": {
@@ -2282,114 +2753,54 @@
"version": {
"version_data": [
{
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.42"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.40"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.39"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.37"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.36"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.35"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.26"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.24"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.22"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.20"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.19"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.17"
- },
- {
- "version_name": "1.3",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "1.3.14"
+ "version_value": "2.2.11"
},
{
- "version_name": "1.3",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "1.3.12"
+ "version_value": "2.2.10"
},
{
- "version_name": "1.3",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "1.3.11"
+ "version_value": "2.2.9"
},
{
- "version_name": "1.3",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "1.3.9"
+ "version_value": "2.2.8"
},
{
- "version_name": "1.3",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "1.3.6"
+ "version_value": "2.2.6"
},
{
- "version_name": "1.3",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "1.3.4"
+ "version_value": "2.2.5"
},
{
- "version_name": "1.3",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "1.3.3"
+ "version_value": "2.2.4"
},
{
- "version_name": "1.3",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "1.3.2"
+ "version_value": "2.2.3"
},
{
- "version_name": "1.3",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "1.3.1"
+ "version_value": "2.2.2"
},
{
- "version_name": "1.3",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "1.3.0"
+ "version_value": "2.2.0"
}
]
}
@@ -2406,163 +2817,36 @@
"data_format": "MITRE",
"data_version": "4.0",
"generator": {
- "engine": "Vulnogram 0.0.9"
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2019-02-22",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2019-04-01",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2019-04-01",
+ "lang": "eng",
+ "value": "2.4.39 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
},
"CVE_data_meta": {
- "ID": "CVE-2021-31618",
"ASSIGNER": "security@apache.org",
- "DATE_PUBLIC": "2021-06-01",
- "TITLE": "NULL pointer dereference on specially crafted HTTP/2 request",
"AKA": "",
- "STATE": "DRAFT"
- },
- "source": {
- "defect": [],
- "advisory": "",
- "discovery": "UNKNOWN"
- },
- "affects": {
- "vendor": {
- "vendor_data": [
- {
- "vendor_name": "Apache Software Foundation",
- "product": {
- "product_data": [
- {
- "product_name": "Apache HTTP Server",
- "version": {
- "version_data": [
- {
- "version_name": "",
- "version_affected": "=",
- "version_value": "2.4.47",
- "platform": ""
- }
- ]
- }
- }
- ]
- }
- }
- ]
- }
- },
- "problemtype": {
- "problemtype_data": [
- {
- "description": [
- {
- "lang": "eng",
- "value": "CWE-476 NULL Pointer Dereference"
- }
- ]
- }
- ]
- },
- "description": {
- "description_data": [
- {
- "value": "Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected.\n\nThis rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one rece [...]
- "lang": "eng"
- }
- ]
- },
- "references": {
- "reference_data": [
- {
- "refsource": "CONFIRM",
- "url": "",
- "name": ""
- }
- ]
- },
- "configuration": [],
- "impact": [
- {
- "other": "important"
- }
- ],
- "exploit": [],
- "work_around": [
- {
- "lang": "eng",
- "value": "On unpatched servers, the `h2` protocol can be disabled by removing it from the `Protocols` configuration. If the `h2` protocol is not enabled, the server is not affected by this vulnerability."
- }
- ],
- "solution": [],
- "credit": [
- {
- "lang": "eng",
- "value": "Apache HTTP server would like to thank LI ZHI XIN from NSFoucs for reporting this."
- }
- ],
- "CNA_private": {
- "owner": "httpd",
- "publish": {
- "ym": "",
- "year": "",
- "month": ""
- },
- "share_with_CVE": true,
- "CVE_table_description": [],
- "CVE_list": [],
- "internal_comments": "",
- "todo": [],
- "email": ""
- },
- "timeline": [
- {
- "time": "2021-04-22",
- "lang": "eng",
- "value": "reported"
- },
- {
- "time": "2021-06-01",
- "lang": "eng",
- "value": "public"
- },
- {
- "time": "2021-06-01",
- "lang": "eng",
- "value": "2.4.48 released"
- }
- ]
- },
- {
- "data_type": "CVE",
- "data_format": "MITRE",
- "data_version": "4.0",
- "generator": {
- "engine": "xmltojsonmjc 1.0"
- },
- "references": {},
- "timeline": [
- {
- "time": "2019-04-10",
- "lang": "eng",
- "value": "reported"
- },
- {
- "time": "2019-08-14",
- "lang": "eng",
- "value": "public"
- },
- {
- "time": "2019-08-14",
- "lang": "eng",
- "value": "2.4.41 released"
- }
- ],
- "CNA_private": {
- "owner": "httpd"
- },
- "CVE_data_meta": {
- "ASSIGNER": "security@apache.org",
- "AKA": "",
- "STATE": "PUBLIC",
- "DATE_PUBLIC": "2019-08-14",
- "ID": "CVE-2019-9517",
- "TITLE": "mod_http2, DoS attack by exhausting h2 workers."
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2019-04-01",
+ "ID": "CVE-2019-0211",
+ "TITLE": "Apache HTTP Server privilege escalation from modules' scripts"
},
"source": {
"defect": [],
@@ -2575,7 +2859,7 @@
"description": [
{
"lang": "eng",
- "value": "mod_http2, DoS attack by exhausting h2 workers."
+ "value": "Apache HTTP Server privilege escalation from modules' scripts"
}
]
}
@@ -2584,20 +2868,20 @@
"credit": [
{
"lang": "eng",
- "value": "The issue was discovered by Jonathan Looney of Netflix."
+ "value": "The issue was discovered by Charles Fol."
}
],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "A malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections."
+ "value": "In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected."
}
]
},
"impact": [
{
- "other": "moderate"
+ "other": "important"
}
],
"affects": {
@@ -2611,11 +2895,6 @@
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.39"
- },
{
"version_name": "2.4",
"version_affected": "=",
@@ -2644,7 +2923,7 @@
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.32"
+ "version_value": "2.4.30"
},
{
"version_name": "2.4",
@@ -2680,6 +2959,16 @@
"version_name": "2.4",
"version_affected": "=",
"version_value": "2.4.20"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.18"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.17"
}
]
}
@@ -2839,24 +3128,29 @@
"references": {},
"timeline": [
{
- "time": "2016-02-10",
+ "time": "2007-10-23",
"lang": "eng",
"value": "reported"
},
{
- "time": "2016-12-20",
+ "time": "2007-12-11",
"lang": "eng",
"value": "public"
},
{
- "time": "2016-12-20",
+ "time": "2008-01-19",
"lang": "eng",
- "value": "2.4.25 released"
+ "value": "2.2.8 released"
},
{
- "time": "2017-01-13",
+ "time": "2008-01-19",
"lang": "eng",
- "value": "2.2.32 released"
+ "value": "2.0.63 released"
+ },
+ {
+ "time": "2008-01-19",
+ "lang": "eng",
+ "value": "1.3.41 released"
}
],
"CNA_private": {
@@ -2866,9 +3160,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2016-12-20",
- "ID": "CVE-2016-8743",
- "TITLE": "Apache HTTP Request Parsing Whitespace Defects"
+ "DATE_PUBLIC": "2007-12-11",
+ "ID": "CVE-2007-5000",
+ "TITLE": "mod_imagemap XSS"
},
"source": {
"defect": [],
@@ -2881,29 +3175,23 @@
"description": [
{
"lang": "eng",
- "value": "Apache HTTP Request Parsing Whitespace Defects"
+ "value": "mod_imagemap XSS"
}
]
}
]
},
- "credit": [
- {
- "lang": "eng",
- "value": "We would like to thank David Dennerline at IBM Security's X-Force Researchers as well as R\u00e9gis Leroy for each reporting this issue."
- }
- ],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "Apache HTTP Server, prior to release 2.4.25 (and 2.2.32), accepted a broad pattern of unusual whitespace patterns from the user-agent, including bare CR, FF, VTAB in parsing the request line and request header lines, as well as HTAB in parsing the request line. Any bare CR present in request lines was treated as whitespace and remained in the request field member \"the_request\", while a bare CR in the request header field name would be honored as whitespace [...]
+ "value": "A flaw was found in the mod_imagemap module. On sites where mod_imagemap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible."
}
]
},
"impact": [
{
- "other": "important"
+ "other": "moderate"
}
],
"affects": {
@@ -2918,214 +3206,279 @@
"version": {
"version_data": [
{
- "version_name": "2.4",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.4.23"
+ "version_value": "2.2.6"
},
{
- "version_name": "2.4",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.4.20"
+ "version_value": "2.2.5"
},
{
- "version_name": "2.4",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.4.18"
+ "version_value": "2.2.4"
},
{
- "version_name": "2.4",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.4.17"
+ "version_value": "2.2.3"
},
{
- "version_name": "2.4",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.4.16"
+ "version_value": "2.2.2"
},
{
- "version_name": "2.4",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.4.12"
+ "version_value": "2.2.0"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.10"
+ "version_value": "2.0.61"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.9"
+ "version_value": "2.0.59"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.7"
+ "version_value": "2.0.58"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.6"
+ "version_value": "2.0.55"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.4"
+ "version_value": "2.0.54"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.3"
+ "version_value": "2.0.53"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.2"
+ "version_value": "2.0.52"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.1"
+ "version_value": "2.0.51"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.31"
+ "version_value": "2.0.50"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.29"
+ "version_value": "2.0.49"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.27"
+ "version_value": "2.0.48"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.26"
+ "version_value": "2.0.47"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.25"
+ "version_value": "2.0.46"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.24"
+ "version_value": "2.0.45"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.23"
+ "version_value": "2.0.44"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.22"
+ "version_value": "2.0.43"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.21"
+ "version_value": "2.0.42"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.20"
+ "version_value": "2.0.40"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.19"
+ "version_value": "2.0.39"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.18"
+ "version_value": "2.0.37"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.17"
+ "version_value": "2.0.36"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.16"
+ "version_value": "2.0.35"
},
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.15"
+ "version_value": "1.3.39"
},
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.14"
+ "version_value": "1.3.37"
},
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.13"
+ "version_value": "1.3.36"
},
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.12"
+ "version_value": "1.3.35"
},
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.11"
+ "version_value": "1.3.34"
},
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.10"
+ "version_value": "1.3.33"
},
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.9"
+ "version_value": "1.3.32"
},
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.8"
+ "version_value": "1.3.31"
},
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.6"
+ "version_value": "1.3.29"
},
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.5"
+ "version_value": "1.3.28"
},
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.4"
+ "version_value": "1.3.27"
},
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.3"
+ "version_value": "1.3.26"
},
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.2"
+ "version_value": "1.3.24"
},
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.0"
+ "version_value": "1.3.22"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.20"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.19"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.17"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.14"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.12"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.11"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.9"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.6"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.4"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.3"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.2"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.1"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.0"
}
]
}
@@ -3137,6 +3490,109 @@
}
}
},
+ {
+ "containers": {
+ "cna": {
+ "affected": [
+ {
+ "defaultStatus": "unaffected",
+ "product": "Apache HTTP Server",
+ "vendor": "Apache Software Foundation",
+ "versions": [
+ {
+ "lessThanOrEqual": "2.4.54",
+ "status": "affected",
+ "version": "2.4",
+ "versionType": "semver"
+ }
+ ]
+ }
+ ],
+ "credits": [
+ {
+ "lang": "en",
+ "type": "finder",
+ "value": "ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group"
+ }
+ ],
+ "descriptions": [
+ {
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "base64": false,
+ "type": "text/html",
+ "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions."
+ }
+ ],
+ "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions."
+ }
+ ],
+ "metrics": [
+ {
+ "other": {
+ "content": {
+ "text": "moderate"
+ },
+ "type": "Textual description of severity"
+ }
+ }
+ ],
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "cweId": "CWE-444",
+ "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')",
+ "lang": "en",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "references": [
+ {
+ "tags": [
+ "vendor-advisory"
+ ],
+ "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
+ }
+ ],
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "en",
+ "time": "2022-07-12T15:00:00.000Z",
+ "value": "Reported to security team"
+ }
+ ],
+ "title": "Apache HTTP Server: mod_proxy_ajp Possible request smuggling",
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ },
+ "cveMetadata": {
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "cveId": "CVE-2022-36760",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2023-01-17",
+ "value": "2.4.55 released"
+ }
+ ]
+ },
{
"data_type": "CVE",
"data_format": "MITRE",
@@ -3147,19 +3603,14 @@
"references": {},
"timeline": [
{
- "time": "2016-10-13",
- "lang": "eng",
- "value": "reported"
- },
- {
- "time": "2020-08-07",
+ "time": "2005-06-11",
"lang": "eng",
"value": "public"
},
{
- "time": "2020-08-07",
+ "time": "2005-10-14",
"lang": "eng",
- "value": "2.4.25 released"
+ "value": "2.0.55 released"
}
],
"CNA_private": {
@@ -3169,9 +3620,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2020-08-07",
- "ID": "CVE-2020-11985",
- "TITLE": "IP address spoofing when proxying using mod_remoteip and mod_rewrite"
+ "DATE_PUBLIC": "2005-06-11",
+ "ID": "CVE-2005-2088",
+ "TITLE": "HTTP Request Spoofing"
},
"source": {
"defect": [],
@@ -3184,29 +3635,23 @@
"description": [
{
"lang": "eng",
- "value": "IP address spoofing when proxying using mod_remoteip and mod_rewrite"
+ "value": "HTTP Request Spoofing"
}
]
}
]
},
- "credit": [
- {
- "lang": "eng",
- "value": ""
- }
- ],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020."
+ "value": "A flaw occured when using the Apache server as a HTTP proxy. A remote attacker could send a HTTP request with both a \"Transfer-Encoding: chunked\" header and a Content-Length header, causing Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request. This could allow the bypass of web application firewall protection or lead to cross-site scripting (XSS) attacks."
}
]
},
"impact": [
{
- "other": "low"
+ "other": "moderate"
}
],
"affects": {
@@ -3221,74 +3666,94 @@
"version": {
"version_data": [
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.23"
+ "version_value": "2.0.54"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.20"
+ "version_value": "2.0.53"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.18"
+ "version_value": "2.0.52"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.17"
+ "version_value": "2.0.51"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.16"
+ "version_value": "2.0.50"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.12"
+ "version_value": "2.0.49"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.10"
+ "version_value": "2.0.48"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.9"
+ "version_value": "2.0.47"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.7"
+ "version_value": "2.0.46"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.6"
+ "version_value": "2.0.45"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.4"
+ "version_value": "2.0.44"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.3"
+ "version_value": "2.0.43"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.2"
+ "version_value": "2.0.42"
},
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.1"
+ "version_value": "2.0.40"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.39"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.37"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.36"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.35"
}
]
}
@@ -3310,14 +3775,19 @@
"references": {},
"timeline": [
{
- "time": "2004-04-02",
+ "time": "2007-04-26",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2007-06-01",
"lang": "eng",
"value": "public"
},
{
- "time": "2004-04-02",
+ "time": "2007-09-07",
"lang": "eng",
- "value": "2.0.45 released"
+ "value": "2.2.6 released"
}
],
"CNA_private": {
@@ -3327,9 +3797,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2004-04-02",
- "ID": "CVE-2003-0132",
- "TITLE": "Line feed memory leak DoS"
+ "DATE_PUBLIC": "2007-06-01",
+ "ID": "CVE-2007-1862",
+ "TITLE": "mod_cache information leak"
},
"source": {
"defect": [],
@@ -3342,7 +3812,7 @@
"description": [
{
"lang": "eng",
- "value": "Line feed memory leak DoS"
+ "value": "mod_cache information leak"
}
]
}
@@ -3352,13 +3822,13 @@
"description_data": [
{
"lang": "eng",
- "value": "Apache 2.0 versions before Apache 2.0.45 had a significant Denial of Service vulnerability. Remote attackers could cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed."
+ "value": "The recall_headers function in mod_mem_cache in Apache 2.2.4 did not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously used data, which could be used by remote attackers to obtain potentially sensitive information."
}
]
},
"impact": [
{
- "other": "important"
+ "other": "moderate"
}
],
"affects": {
@@ -3373,44 +3843,9 @@
"version": {
"version_data": [
{
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.44"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.43"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.42"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.40"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.39"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.37"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.36"
- },
- {
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.35"
+ "version_value": "2.2.4"
}
]
}
@@ -3432,19 +3867,19 @@
"references": {},
"timeline": [
{
- "time": "2005-07-07",
+ "time": "2021-02-08",
"lang": "eng",
"value": "reported"
},
{
- "time": "2005-07-07",
+ "time": "2021-06-01",
"lang": "eng",
"value": "public"
},
{
- "time": "2005-10-14",
+ "time": "2021-06-01",
"lang": "eng",
- "value": "2.0.55 released"
+ "value": "2.4.48 released"
}
],
"CNA_private": {
@@ -3454,9 +3889,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2005-07-07",
- "ID": "CVE-2005-2728",
- "TITLE": "Byterange filter DoS"
+ "DATE_PUBLIC": "2021-06-01",
+ "ID": "CVE-2021-26690",
+ "TITLE": "mod_session NULL pointer dereference"
},
"source": {
"defect": [],
@@ -3469,23 +3904,29 @@
"description": [
{
"lang": "eng",
- "value": "Byterange filter DoS"
+ "value": "mod_session NULL pointer dereference"
}
]
}
]
},
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales)"
+ }
+ ],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "A flaw in the byterange filter would cause some responses to be buffered into memory. If a server has a dynamic resource such as a CGI script or PHP script which generates a large amount of data, an attacker could send carefully crafted requests in order to consume resources, potentially leading to a Denial of Service."
+ "value": "Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service"
}
]
},
"impact": [
{
- "other": "moderate"
+ "other": "low"
}
],
"affects": {
@@ -3500,94 +3941,149 @@
"version": {
"version_data": [
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.54"
+ "version_value": "2.4.46"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.53"
+ "version_value": "2.4.43"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.52"
+ "version_value": "2.4.41"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.51"
+ "version_value": "2.4.39"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.50"
+ "version_value": "2.4.38"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.49"
+ "version_value": "2.4.37"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.48"
+ "version_value": "2.4.35"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.47"
+ "version_value": "2.4.34"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.46"
+ "version_value": "2.4.33"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.45"
+ "version_value": "2.4.29"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.44"
+ "version_value": "2.4.28"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.43"
+ "version_value": "2.4.27"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.42"
+ "version_value": "2.4.26"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.40"
+ "version_value": "2.4.25"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.39"
+ "version_value": "2.4.23"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.37"
+ "version_value": "2.4.20"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.36"
+ "version_value": "2.4.18"
},
{
- "version_name": "2.0",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.0.35"
+ "version_value": "2.4.17"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.16"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.12"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.10"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.9"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.7"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.6"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.4"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.3"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.2"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.1"
+ },
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.0"
}
]
}
@@ -3609,19 +4105,19 @@
"references": {},
"timeline": [
{
- "time": "2009-03-05",
+ "time": "2009-12-30",
"lang": "eng",
"value": "reported"
},
{
- "time": "2009-04-21",
+ "time": "2010-01-27",
"lang": "eng",
"value": "public"
},
{
- "time": "2009-07-27",
+ "time": "2010-02-03",
"lang": "eng",
- "value": "2.2.12 released"
+ "value": "1.3.42 released"
}
],
"CNA_private": {
@@ -3631,9 +4127,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2009-04-21",
- "ID": "CVE-2009-1191",
- "TITLE": "mod_proxy_ajp information disclosure"
+ "DATE_PUBLIC": "2010-01-27",
+ "ID": "CVE-2010-0010",
+ "TITLE": "mod_proxy overflow on 64-bit systems"
},
"source": {
"defect": [],
@@ -3646,7 +4142,7 @@
"description": [
{
"lang": "eng",
- "value": "mod_proxy_ajp information disclosure"
+ "value": "mod_proxy overflow on 64-bit systems"
}
]
}
@@ -3656,13 +4152,13 @@
"description_data": [
{
"lang": "eng",
- "value": "An information disclosure flaw was found in mod_proxy_ajp in version 2.2.11 only. In certain situations, if a user sent a carefully crafted HTTP request, the server could return a response intended for another user."
+ "value": "An incorrect conversion between numeric types flaw was found in the mod_proxy module which affects some 64-bit architecture systems. A malicious HTTP server to which requests are being proxied could use this flaw to trigger a heap buffer overflow in an httpd child process via a carefully crafted response."
}
]
},
"impact": [
{
- "other": "important"
+ "other": "moderate"
}
],
"affects": {
@@ -3677,9 +4173,134 @@
"version": {
"version_data": [
{
- "version_name": "2.2",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.2.11"
+ "version_value": "1.3.41"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.39"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.37"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.36"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.35"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.34"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.33"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.32"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.31"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.29"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.28"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.27"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.26"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.24"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.22"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.20"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.19"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.17"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.14"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.12"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.11"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.9"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.6"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.4"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.3"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.2"
}
]
}
@@ -3701,19 +4322,19 @@
"references": {},
"timeline": [
{
- "time": "2018-07-18",
+ "time": "2003-12-18",
"lang": "eng",
"value": "reported"
},
{
- "time": "2018-09-25",
+ "time": "2003-12-18",
"lang": "eng",
"value": "public"
},
{
- "time": "2018-09-29",
+ "time": "2004-05-12",
"lang": "eng",
- "value": "2.4.35 released"
+ "value": "1.3.31 released"
}
],
"CNA_private": {
@@ -3723,9 +4344,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2018-09-25",
- "ID": "CVE-2018-11763",
- "TITLE": "DoS for HTTP/2 connections by continuous SETTINGS"
+ "DATE_PUBLIC": "2003-12-18",
+ "ID": "CVE-2003-0987",
+ "TITLE": "mod_digest nonce checking"
},
"source": {
"defect": [],
@@ -3738,23 +4359,17 @@
"description": [
{
"lang": "eng",
- "value": "DoS for HTTP/2 connections by continuous SETTINGS"
+ "value": "mod_digest nonce checking"
}
]
}
]
},
- "credit": [
- {
- "lang": "eng",
- "value": "The issue was discovered by Gal Goldshtein of F5 Networks."
- }
- ],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "By sending continous SETTINGS frames of maximum size an ongoing HTTP/2 connection could be kept busy and would never time out. This can be abused for a DoS on the server. This only affect a server that has enabled the h2 protocol."
+ "value": "mod_digest does not properly verify the nonce of a client response by using a AuthNonce secret. This could allow a malicious user who is able to sniff network traffic to conduct a replay attack against a website using Digest protection. Note that mod_digest implements an older version of the MD5 Digest Authentication specification which is known not to work with modern browsers. This issue does not affect mod_auth_digest."
}
]
},
@@ -3775,216 +4390,99 @@
"version": {
"version_data": [
{
- "version_name": "2.4",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.4.34"
+ "version_value": "1.3.29"
},
{
- "version_name": "2.4",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.4.33"
+ "version_value": "1.3.28"
},
{
- "version_name": "2.4",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.4.30"
+ "version_value": "1.3.27"
},
{
- "version_name": "2.4",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.4.29"
+ "version_value": "1.3.26"
},
{
- "version_name": "2.4",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.4.28"
+ "version_value": "1.3.24"
},
{
- "version_name": "2.4",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.4.27"
+ "version_value": "1.3.22"
},
{
- "version_name": "2.4",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.4.26"
+ "version_value": "1.3.20"
},
{
- "version_name": "2.4",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.4.25"
+ "version_value": "1.3.19"
},
{
- "version_name": "2.4",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.4.23"
+ "version_value": "1.3.17"
},
{
- "version_name": "2.4",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.4.20"
+ "version_value": "1.3.14"
},
{
- "version_name": "2.4",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.4.18"
- }
- ]
- }
- }
- ]
- }
- }
- ]
- }
- }
- },
- {
- "data_type": "CVE",
- "data_format": "MITRE",
- "data_version": "4.0",
- "generator": {
- "engine": "xmltojsonmjc 1.0"
- },
- "references": {},
- "timeline": [
- {
- "time": "2004-07-07",
- "lang": "eng",
- "value": "reported"
- },
- {
- "time": "2004-07-07",
- "lang": "eng",
- "value": "public"
- },
- {
- "time": "2004-09-15",
- "lang": "eng",
- "value": "2.0.51 released"
- }
- ],
- "CNA_private": {
- "owner": "httpd"
- },
- "CVE_data_meta": {
- "ASSIGNER": "security@apache.org",
- "AKA": "",
- "STATE": "PUBLIC",
- "DATE_PUBLIC": "2004-07-07",
- "ID": "CVE-2004-0748",
- "TITLE": "SSL connection infinite loop"
- },
- "source": {
- "defect": [],
- "advisory": "",
- "discovery": "UNKNOWN"
- },
- "problemtype": {
- "problemtype_data": [
- {
- "description": [
- {
- "lang": "eng",
- "value": "SSL connection infinite loop"
- }
- ]
- }
- ]
- },
- "description": {
- "description_data": [
- {
- "lang": "eng",
- "value": "An issue was discovered in the mod_ssl module in Apache 2.0. A remote attacker who forces an SSL connection to be aborted in a particular state may cause an Apache child process to enter an infinite loop, consuming CPU resources."
- }
- ]
- },
- "impact": [
- {
- "other": "important"
- }
- ],
- "affects": {
- "vendor": {
- "vendor_data": [
- {
- "vendor_name": "Apache Software Foundation",
- "product": {
- "product_data": [
- {
- "product_name": "Apache HTTP Server",
- "version": {
- "version_data": [
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.50"
- },
- {
- "version_name": "2.0",
- "version_affected": "?=",
- "version_value": "2.0.49"
- },
- {
- "version_name": "2.0",
- "version_affected": "?=",
- "version_value": "2.0.48"
- },
- {
- "version_name": "2.0",
- "version_affected": "?=",
- "version_value": "2.0.47"
- },
- {
- "version_name": "2.0",
- "version_affected": "?=",
- "version_value": "2.0.46"
- },
- {
- "version_name": "2.0",
- "version_affected": "?=",
- "version_value": "2.0.45"
+ "version_value": "1.3.12"
},
{
- "version_name": "2.0",
- "version_affected": "?=",
- "version_value": "2.0.44"
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.11"
},
{
- "version_name": "2.0",
- "version_affected": "?=",
- "version_value": "2.0.43"
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.9"
},
{
- "version_name": "2.0",
- "version_affected": "?=",
- "version_value": "2.0.42"
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.6"
},
{
- "version_name": "2.0",
- "version_affected": "?=",
- "version_value": "2.0.40"
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.4"
},
{
- "version_name": "2.0",
- "version_affected": "?=",
- "version_value": "2.0.39"
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.3"
},
{
- "version_name": "2.0",
- "version_affected": "?=",
- "version_value": "2.0.37"
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.2"
},
{
- "version_name": "2.0",
- "version_affected": "?=",
- "version_value": "2.0.36"
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.1"
},
{
- "version_name": "2.0",
- "version_affected": "?=",
- "version_value": "2.0.35"
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.0"
}
]
}
@@ -3997,30 +4495,16 @@
}
},
{
- "data_type": "CVE",
- "data_format": "MITRE",
- "data_version": "4.0",
- "generator": {
- "engine": "Vulnogram 0.0.9"
- },
"CVE_data_meta": {
- "ID": "CVE-2022-31813",
"ASSIGNER": "security@apache.org",
- "DATE_PUBLIC": "",
- "TITLE": "mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism",
- "AKA": "",
- "STATE": "REVIEW"
- },
- "source": {
- "defect": [],
- "advisory": "",
- "discovery": "UNKNOWN"
+ "ID": "CVE-2021-42013",
+ "STATE": "REVIEW",
+ "TITLE": "Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)"
},
"affects": {
"vendor": {
"vendor_data": [
{
- "vendor_name": "Apache Software Foundation",
"product": {
"product_data": [
{
@@ -4028,85 +4512,99 @@
"version": {
"version_data": [
{
- "version_name": "Apache HTTP Server 2.4",
- "version_affected": "<=",
- "version_value": "2.4.53",
- "platform": ""
+ "version_affected": "=",
+ "version_name": "Apache HTTP Server",
+ "version_value": "2.4.49"
+ },
+ {
+ "version_affected": "=",
+ "version_name": "Apache HTTP Server",
+ "version_value": "2.4.50"
}
]
}
}
]
- }
+ },
+ "vendor_name": "Apache Software Foundation"
}
]
}
},
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "Reported by Juan Escobar from Dreamlab Technologies"
+ },
+ {
+ "lang": "eng",
+ "value": "Reported by Fernando Mu\u00f1oz from NULL Life CTF Team"
+ },
+ {
+ "lang": "eng",
+ "value": "Reported by Shungo Kumasaka"
+ },
+ {
+ "lang": "eng",
+ "value": "Reported by Nattapon Jongcharoen"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. \n\nIf files outside of these directories are not protected by the usual default configuration \"require all denied\", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code ex [...]
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "critical"
+ }
+ ],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
- "value": "CWE-348 Use of Less Trusted Source"
+ "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
}
]
}
]
},
- "description": {
- "description_data": [
- {
- "value": "Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism.\nThis may be used to bypass IP based authentication on the origin server/application.",
- "lang": "eng"
- }
- ]
- },
"references": {
"reference_data": [
{
- "refsource": "CONFIRM",
- "url": "",
- "name": ""
+ "refsource": "CONFIRM"
}
]
},
- "configuration": [],
- "impact": [
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
{
- "other": "low"
- }
- ],
- "exploit": [],
- "work_around": [],
- "solution": [],
- "credit": [
+ "lang": "eng",
+ "time": "2021-10-06",
+ "value": "reported"
+ },
{
+ "time": "2021-10-07",
"lang": "eng",
- "value": "The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue"
- }
- ],
- "CNA_private": {
- "owner": "httpd",
- "publish": {
- "ym": "",
- "year": "",
- "month": ""
+ "value": "fixed by r1893977, r1893980, r1893982 in 2.4.x"
},
- "share_with_CVE": true,
- "CVE_table_description": [],
- "CVE_list": [],
- "internal_comments": "",
- "todo": [],
- "emailed": "",
- "userslist": "",
- "email": ""
- },
- "timeline": [
{
"lang": "eng",
- "time": "2022-06-08",
- "value": "2.4.54 released"
+ "time": "2021-10-07",
+ "value": "2.4.51 released"
}
]
},
@@ -4120,19 +4618,24 @@
"references": {},
"timeline": [
{
- "time": "2019-01-29",
+ "time": "2014-06-16",
"lang": "eng",
"value": "reported"
},
{
- "time": "2019-04-01",
+ "time": "2014-07-14",
"lang": "eng",
"value": "public"
},
{
- "time": "2019-04-01",
+ "time": "2014-07-15",
"lang": "eng",
- "value": "2.4.39 released"
+ "value": "2.4.10 released"
+ },
+ {
+ "time": "2014-09-03",
+ "lang": "eng",
+ "value": "2.2.29 released"
}
],
"CNA_private": {
@@ -4142,9 +4645,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2019-04-01",
- "ID": "CVE-2019-0197",
- "TITLE": "mod_http2, possible crash on late upgrade"
+ "DATE_PUBLIC": "2014-07-14",
+ "ID": "CVE-2014-0231",
+ "TITLE": "mod_cgid denial of service"
},
"source": {
"defect": [],
@@ -4157,7 +4660,7 @@
"description": [
{
"lang": "eng",
- "value": "mod_http2, possible crash on late upgrade"
+ "value": "mod_cgid denial of service"
}
]
}
@@ -4166,20 +4669,20 @@
"credit": [
{
"lang": "eng",
- "value": "The issue was discovered by Stefan Eissing, greenbytes.de."
+ "value": "This issue was reported by Rainer Jung of the ASF"
}
],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for https: and did not configure the \"H2Upgrade on\" is unaffected by this."
+ "value": "A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI scripts which did not consume standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service."
}
]
},
"impact": [
{
- "other": "low"
+ "other": "important"
}
],
"affects": {
@@ -4196,304 +4699,167 @@
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.38"
+ "version_value": "2.4.9"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.37"
+ "version_value": "2.4.7"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.35"
+ "version_value": "2.4.6"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.34"
- }
- ]
- }
- }
- ]
- }
- }
- ]
- }
- }
- },
- {
- "data_type": "CVE",
- "data_format": "MITRE",
- "data_version": "4.0",
- "generator": {
- "engine": "xmltojsonmjc 1.0"
- },
- "references": {},
- "timeline": [
- {
- "time": "2009-12-18",
- "lang": "eng",
- "value": "reported"
- },
- {
- "time": "2009-12-02",
- "lang": "eng",
- "value": "public"
- },
- {
- "time": "2010-10-19",
- "lang": "eng",
- "value": "2.2.17 released"
- },
- {
- "time": "2010-10-19",
- "lang": "eng",
- "value": "2.0.64 released"
- }
- ],
- "CNA_private": {
- "owner": "httpd"
- },
- "CVE_data_meta": {
- "ASSIGNER": "security@apache.org",
- "AKA": "",
- "STATE": "PUBLIC",
- "DATE_PUBLIC": "2009-12-02",
- "ID": "CVE-2009-3560",
- "TITLE": "expat DoS"
- },
- "source": {
- "defect": [],
- "advisory": "",
- "discovery": "UNKNOWN"
- },
- "problemtype": {
- "problemtype_data": [
- {
- "description": [
- {
- "lang": "eng",
- "value": "expat DoS"
- }
- ]
- }
- ]
- },
- "description": {
- "description_data": [
- {
- "lang": "eng",
- "value": "A buffer over-read flaw was found in the bundled expat library. An attacker who is able to get Apache to parse an untrused XML document (for example through mod_dav) may be able to cause a crash. This crash would only be a denial of service if using the worker MPM."
- }
- ]
- },
- "impact": [
- {
- "other": "low"
- }
- ],
- "affects": {
- "vendor": {
- "vendor_data": [
- {
- "vendor_name": "Apache Software Foundation",
- "product": {
- "product_data": [
- {
- "product_name": "Apache HTTP Server",
- "version": {
- "version_data": [
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.16"
+ "version_value": "2.4.4"
},
{
- "version_name": "2.2",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.2.15"
+ "version_value": "2.4.3"
},
{
- "version_name": "2.2",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.2.14"
+ "version_value": "2.4.2"
},
{
- "version_name": "2.2",
+ "version_name": "2.4",
"version_affected": "=",
- "version_value": "2.2.13"
+ "version_value": "2.4.1"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.12"
+ "version_value": "2.2.27"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.11"
+ "version_value": "2.2.26"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.10"
+ "version_value": "2.2.25"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.9"
+ "version_value": "2.2.24"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.8"
+ "version_value": "2.2.23"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.6"
+ "version_value": "2.2.22"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.5"
+ "version_value": "2.2.21"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.4"
+ "version_value": "2.2.20"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.3"
+ "version_value": "2.2.19"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.2"
+ "version_value": "2.2.18"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.0"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.63"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.61"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.59"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.58"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.55"
+ "version_value": "2.2.17"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.54"
+ "version_value": "2.2.16"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.53"
+ "version_value": "2.2.15"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.52"
+ "version_value": "2.2.14"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.51"
+ "version_value": "2.2.13"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.50"
+ "version_value": "2.2.12"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.49"
+ "version_value": "2.2.11"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.48"
+ "version_value": "2.2.10"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.47"
+ "version_value": "2.2.9"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.46"
+ "version_value": "2.2.8"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.45"
+ "version_value": "2.2.6"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.44"
+ "version_value": "2.2.5"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.43"
+ "version_value": "2.2.4"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.42"
+ "version_value": "2.2.3"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.40"
+ "version_value": "2.2.2"
},
{
- "version_name": "2.0",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.0.39"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.37"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.36"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.35"
+ "version_value": "2.2.0"
}
]
}
@@ -4505,120 +4871,6 @@
}
}
},
- {
- "data_type": "CVE",
- "data_format": "MITRE",
- "data_version": "4.0",
- "generator": {
- "engine": "Vulnogram 0.0.9"
- },
- "CVE_data_meta": {
- "ID": "CVE-2022-30556",
- "ASSIGNER": "security@apache.org",
- "DATE_PUBLIC": "",
- "TITLE": "Information Disclosure in mod_lua with websockets",
- "AKA": "",
- "STATE": "REVIEW"
- },
- "source": {
- "defect": [],
- "advisory": "",
- "discovery": "UNKNOWN"
- },
- "affects": {
- "vendor": {
- "vendor_data": [
- {
- "vendor_name": "Apache Software Foundation",
- "product": {
- "product_data": [
- {
- "product_name": "Apache HTTP Server",
- "version": {
- "version_data": [
- {
- "version_name": "",
- "version_affected": "<=",
- "version_value": "2.4.53",
- "platform": ""
- }
- ]
- }
- }
- ]
- }
- }
- ]
- }
- },
- "problemtype": {
- "problemtype_data": [
- {
- "description": [
- {
- "lang": "eng",
- "value": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"
- }
- ]
- }
- ]
- },
- "description": {
- "description_data": [
- {
- "value": "Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.",
- "lang": "eng"
- }
- ]
- },
- "references": {
- "reference_data": [
- {
- "refsource": "CONFIRM",
- "url": "",
- "name": ""
- }
- ]
- },
- "configuration": [],
- "impact": [
- {
- "other": "low"
- }
- ],
- "exploit": [],
- "work_around": [],
- "solution": [],
- "credit": [
- {
- "lang": "eng",
- "value": "The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC) for reporting this issue"
- }
- ],
- "CNA_private": {
- "owner": "httpd",
- "publish": {
- "ym": "",
- "year": "",
- "month": ""
- },
- "share_with_CVE": true,
- "CVE_table_description": [],
- "CVE_list": [],
- "internal_comments": "",
- "todo": [],
- "emailed": "",
- "userslist": "",
- "email": ""
- },
- "timeline": [
- {
- "lang": "eng",
- "time": "2022-06-08",
- "value": "2.4.54 released"
- }
- ]
- },
{
"data_type": "CVE",
"data_format": "MITRE",
@@ -4629,19 +4881,19 @@
"references": {},
"timeline": [
{
- "time": "2020-09-11",
+ "time": "2002-07-05",
"lang": "eng",
"value": "reported"
},
{
- "time": "2021-06-01",
+ "time": "2002-08-09",
"lang": "eng",
"value": "public"
},
{
- "time": "2021-06-01",
+ "time": "2002-08-09",
"lang": "eng",
- "value": "2.4.48 released"
+ "value": "2.0.40 released"
}
],
"CNA_private": {
@@ -4651,9 +4903,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2021-06-01",
- "ID": "CVE-2020-13950",
- "TITLE": "mod_proxy_http NULL pointer dereference"
+ "DATE_PUBLIC": "2002-08-09",
+ "ID": "CVE-2002-0654",
+ "TITLE": "Path revealing exposures"
},
"source": {
"defect": [],
@@ -4666,23 +4918,17 @@
"description": [
{
"lang": "eng",
- "value": "mod_proxy_http NULL pointer dereference"
+ "value": "Path revealing exposures"
}
]
}
]
},
- "credit": [
- {
- "lang": "eng",
- "value": "Reported by Marc Stern (<marc.stern approach.be>)"
- }
- ],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service"
+ "value": "A path-revealing exposure was present in multiview type map negotiation (such as the default error documents) where a module would report the full path of the typemapped .var file when multiple documents or no documents could be served. Additionally a path-revealing exposure in cgi/cgid when Apache fails to invoke a script. The modules would report \"couldn't create child process /path-to-script/script.pl\" revealing the full path of the script."
}
]
},
@@ -4703,19 +4949,24 @@
"version": {
"version_data": [
{
- "version_name": "2.4",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.4.46"
+ "version_value": "2.0.39"
},
{
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.43"
+ "version_name": "2.0",
+ "version_affected": "?=",
+ "version_value": "2.0.37"
},
{
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.41"
+ "version_name": "2.0",
+ "version_affected": "?=",
+ "version_value": "2.0.36"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "?=",
+ "version_value": "2.0.35"
}
]
}
@@ -4737,14 +4988,14 @@
"references": {},
"timeline": [
{
- "time": "2003-03-31",
+ "time": "2001-07-09",
"lang": "eng",
"value": "public"
},
{
- "time": "2003-05-28",
+ "time": "2001-10-12",
"lang": "eng",
- "value": "2.0.46 released"
+ "value": "1.3.22 released"
}
],
"CNA_private": {
@@ -4754,9 +5005,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2003-03-31",
- "ID": "CVE-2003-0134",
- "TITLE": "OS2 device name DoS"
+ "DATE_PUBLIC": "2001-07-09",
+ "ID": "CVE-2001-0731",
+ "TITLE": "Multiviews can cause a directory listing to be displayed"
},
"source": {
"defect": [],
@@ -4769,7 +5020,7 @@
"description": [
{
"lang": "eng",
- "value": "OS2 device name DoS"
+ "value": "Multiviews can cause a directory listing to be displayed"
}
]
}
@@ -4779,7 +5030,7 @@
"description_data": [
{
"lang": "eng",
- "value": "Apache on OS2 up to and including Apache 2.0.45 have a Denial of Service vulnerability caused by device names."
+ "value": "A vulnerability was found when Multiviews are used to negotiate the directory index. In some configurations, requesting a URI with a QUERY_STRING of M=D could return a directory listing rather than the expected index page."
}
]
},
@@ -4800,49 +5051,69 @@
"version": {
"version_data": [
{
- "version_name": "2.0",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.0.45"
+ "version_value": "1.3.20"
},
{
- "version_name": "2.0",
+ "version_name": "1.3",
"version_affected": "?=",
- "version_value": "2.0.44"
+ "version_value": "1.3.19"
},
{
- "version_name": "2.0",
+ "version_name": "1.3",
"version_affected": "?=",
- "version_value": "2.0.43"
+ "version_value": "1.3.17"
},
{
- "version_name": "2.0",
+ "version_name": "1.3",
"version_affected": "?=",
- "version_value": "2.0.42"
+ "version_value": "1.3.14"
},
{
- "version_name": "2.0",
+ "version_name": "1.3",
"version_affected": "?=",
- "version_value": "2.0.40"
+ "version_value": "1.3.12"
},
{
- "version_name": "2.0",
+ "version_name": "1.3",
"version_affected": "?=",
- "version_value": "2.0.39"
+ "version_value": "1.3.11"
},
{
- "version_name": "2.0",
+ "version_name": "1.3",
"version_affected": "?=",
- "version_value": "2.0.37"
+ "version_value": "1.3.9"
},
{
- "version_name": "2.0",
+ "version_name": "1.3",
"version_affected": "?=",
- "version_value": "2.0.36"
+ "version_value": "1.3.6"
},
{
- "version_name": "2.0",
+ "version_name": "1.3",
"version_affected": "?=",
- "version_value": "2.0.35"
+ "version_value": "1.3.4"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "?=",
+ "version_value": "1.3.3"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "?=",
+ "version_value": "1.3.2"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "?=",
+ "version_value": "1.3.1"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "?=",
+ "version_value": "1.3.0"
}
]
}
@@ -4864,19 +5135,24 @@
"references": {},
"timeline": [
{
- "time": "2009-04-24",
+ "time": "2008-05-29",
"lang": "eng",
"value": "reported"
},
{
- "time": "2009-04-24",
+ "time": "2008-06-10",
"lang": "eng",
"value": "public"
},
{
- "time": "2009-07-27",
+ "time": "2010-10-19",
"lang": "eng",
- "value": "2.2.12 released"
+ "value": "2.0.64 released"
+ },
+ {
+ "time": "2008-06-14",
+ "lang": "eng",
+ "value": "2.2.9 released"
}
],
"CNA_private": {
@@ -4886,9 +5162,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2009-04-24",
- "ID": "CVE-2009-1956",
- "TITLE": "APR-util off-by-one overflow"
+ "DATE_PUBLIC": "2008-06-10",
+ "ID": "CVE-2008-2364",
+ "TITLE": "mod_proxy_http DoS"
},
"source": {
"defect": [],
@@ -4901,7 +5177,7 @@
"description": [
{
"lang": "eng",
- "value": "APR-util off-by-one overflow"
+ "value": "mod_proxy_http DoS"
}
]
}
@@ -4911,7 +5187,7 @@
"description_data": [
{
"lang": "eng",
- "value": "An off-by-one overflow flaw was found in the way the bundled copy of the APR-util library processed a variable list of arguments. An attacker could provide a specially-crafted string as input for the formatted output conversion routine, which could, on big-endian platforms, potentially lead to the disclosure of sensitive information or a denial of service."
+ "value": "A flaw was found in the handling of excessive interim responses from an origin server when using mod_proxy_http. A remote attacker could cause a denial of service or high memory usage."
}
]
},
@@ -4932,142 +5208,60 @@
"version": {
"version_data": [
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.11"
+ "version_value": "2.0.63"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.10"
+ "version_value": "2.0.61"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.9"
+ "version_value": "2.0.59"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.8"
+ "version_value": "2.0.58"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.6"
+ "version_value": "2.0.55"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.5"
+ "version_value": "2.0.54"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.4"
+ "version_value": "2.0.53"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.3"
+ "version_value": "2.0.52"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.2"
+ "version_value": "2.0.51"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.0"
- }
- ]
- }
- }
- ]
- }
- }
- ]
- }
- }
- },
- {
- "data_type": "CVE",
- "data_format": "MITRE",
- "data_version": "4.0",
- "generator": {
- "engine": "xmltojsonmjc 1.0"
- },
- "references": {},
- "timeline": [
- {
- "time": "2004-02-20",
- "lang": "eng",
- "value": "reported"
- },
- {
- "time": "2004-02-20",
- "lang": "eng",
- "value": "public"
- },
- {
- "time": "2004-03-19",
- "lang": "eng",
- "value": "2.0.49 released"
- }
- ],
- "CNA_private": {
- "owner": "httpd"
- },
- "CVE_data_meta": {
- "ASSIGNER": "security@apache.org",
- "AKA": "",
- "STATE": "PUBLIC",
- "DATE_PUBLIC": "2004-02-20",
- "ID": "CVE-2004-0113",
- "TITLE": "mod_ssl memory leak"
- },
- "source": {
- "defect": [],
- "advisory": "",
- "discovery": "UNKNOWN"
- },
- "problemtype": {
- "problemtype_data": [
- {
- "description": [
- {
- "lang": "eng",
- "value": "mod_ssl memory leak"
- }
- ]
- }
- ]
- },
- "description": {
- "description_data": [
- {
- "lang": "eng",
- "value": "A memory leak in mod_ssl allows a remote denial of service attack against an SSL-enabled server by sending plain HTTP requests to the SSL port."
- }
- ]
- },
- "impact": [
- {
- "other": "important"
- }
- ],
- "affects": {
- "vendor": {
- "vendor_data": [
- {
- "vendor_name": "Apache Software Foundation",
- "product": {
- "product_data": [
- {
- "product_name": "Apache HTTP Server",
- "version": {
- "version_data": [
+ "version_value": "2.0.50"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.49"
+ },
{
"version_name": "2.0",
"version_affected": "=",
@@ -5127,6 +5321,41 @@
"version_name": "2.0",
"version_affected": "=",
"version_value": "2.0.35"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.8"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.6"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.5"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.4"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.3"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.2"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.0"
}
]
}
@@ -5148,19 +5377,19 @@
"references": {},
"timeline": [
{
- "time": "2014-09-17",
+ "time": "2008-01-15",
"lang": "eng",
"value": "reported"
},
{
- "time": "2014-11-12",
+ "time": "2008-01-21",
"lang": "eng",
"value": "public"
},
{
- "time": "2015-01-30",
+ "time": "2009-07-27",
"lang": "eng",
- "value": "2.4.12 released"
+ "value": "2.2.12 released"
}
],
"CNA_private": {
@@ -5170,9 +5399,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2014-11-12",
- "ID": "CVE-2014-3583",
- "TITLE": "mod_proxy_fcgi out-of-bounds memory read"
+ "DATE_PUBLIC": "2008-01-21",
+ "ID": "CVE-2008-0456",
+ "TITLE": "CRLF injection in mod_negotiation when untrusted uploads are supported"
},
"source": {
"defect": [],
@@ -5185,23 +5414,17 @@
"description": [
{
"lang": "eng",
- "value": "mod_proxy_fcgi out-of-bounds memory read"
+ "value": "CRLF injection in mod_negotiation when untrusted uploads are supported"
}
]
}
]
},
- "credit": [
- {
- "lang": "eng",
- "value": "This issue was reported by Teguh P. Alko."
- }
- ],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "An out-of-bounds memory read was found in mod_proxy_fcgi. A malicious FastCGI server could send a carefully crafted response which could lead to a crash when reading past the end of a heap memory or stack buffer. This issue affects version 2.4.10 only."
+ "value": "Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_negotiation and allow untrusted uploads to locations which have MultiViews enabled."
}
]
},
@@ -5222,9 +5445,54 @@
"version": {
"version_data": [
{
- "version_name": "2.4",
+ "version_name": "2.2",
"version_affected": "=",
- "version_value": "2.4.10"
+ "version_value": "2.2.11"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.10"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.9"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.8"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.6"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.5"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.4"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.3"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.2"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.0"
}
]
}
@@ -5365,29 +5633,24 @@
"references": {},
"timeline": [
{
- "time": "2006-07-21",
+ "time": "2003-02-24",
"lang": "eng",
"value": "reported"
},
{
- "time": "2006-07-27",
+ "time": "2003-02-24",
"lang": "eng",
"value": "public"
},
{
- "time": "2006-07-27",
- "lang": "eng",
- "value": "2.2.3 released"
- },
- {
- "time": "2006-07-27",
+ "time": "2004-04-02",
"lang": "eng",
- "value": "2.0.59 released"
+ "value": "2.0.46 released"
},
{
- "time": "2006-07-27",
+ "time": "2002-06-18",
"lang": "eng",
- "value": "1.3.37 released"
+ "value": "1.3.26 released"
}
],
"CNA_private": {
@@ -5397,9 +5660,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2006-07-27",
- "ID": "CVE-2006-3747",
- "TITLE": "mod_rewrite off-by-one error"
+ "DATE_PUBLIC": "2003-02-24",
+ "ID": "CVE-2003-0083",
+ "TITLE": "Filtered escape sequences"
},
"source": {
"defect": [],
@@ -5412,7 +5675,7 @@
"description": [
{
"lang": "eng",
- "value": "mod_rewrite off-by-one error"
+ "value": "Filtered escape sequences"
}
]
}
@@ -5422,13 +5685,13 @@
"description_data": [
{
"lang": "eng",
- "value": "An off-by-one flaw exists in the Rewrite module, mod_rewrite. Depending on the manner in which Apache httpd was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution."
+ "value": "Apache did not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences."
}
]
},
"impact": [
{
- "other": "important"
+ "other": "low"
}
],
"affects": {
@@ -5443,109 +5706,124 @@
"version": {
"version_data": [
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.2"
+ "version_value": "2.0.45"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.0"
+ "version_value": "2.0.44"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.58"
+ "version_value": "2.0.43"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.55"
+ "version_value": "2.0.42"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.54"
+ "version_value": "2.0.40"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.53"
+ "version_value": "2.0.39"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.52"
+ "version_value": "2.0.37"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.51"
+ "version_value": "2.0.36"
},
{
"version_name": "2.0",
"version_affected": "=",
- "version_value": "2.0.50"
+ "version_value": "2.0.35"
},
{
- "version_name": "2.0",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.0.49"
+ "version_value": "1.3.24"
},
{
- "version_name": "2.0",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.0.48"
+ "version_value": "1.3.22"
},
{
- "version_name": "2.0",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.0.47"
+ "version_value": "1.3.20"
},
{
- "version_name": "2.0",
+ "version_name": "1.3",
"version_affected": "=",
- "version_value": "2.0.46"
+ "version_value": "1.3.19"
},
{
"version_name": "1.3",
"version_affected": "=",
- "version_value": "1.3.36"
+ "version_value": "1.3.17"
},
{
"version_name": "1.3",
"version_affected": "=",
- "version_value": "1.3.35"
+ "version_value": "1.3.14"
},
{
"version_name": "1.3",
"version_affected": "=",
- "version_value": "1.3.34"
+ "version_value": "1.3.12"
},
{
"version_name": "1.3",
"version_affected": "=",
- "version_value": "1.3.33"
+ "version_value": "1.3.11"
},
{
"version_name": "1.3",
"version_affected": "=",
- "version_value": "1.3.32"
+ "version_value": "1.3.9"
},
{
"version_name": "1.3",
"version_affected": "=",
- "version_value": "1.3.31"
+ "version_value": "1.3.6"
},
{
"version_name": "1.3",
"version_affected": "=",
- "version_value": "1.3.29"
+ "version_value": "1.3.4"
},
{
"version_name": "1.3",
"version_affected": "=",
- "version_value": "1.3.28"
+ "version_value": "1.3.3"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.2"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.1"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.0"
}
]
}
@@ -5567,19 +5845,19 @@
"references": {},
"timeline": [
{
- "time": "2021-03-01",
+ "time": "2016-10-13",
"lang": "eng",
"value": "reported"
},
{
- "time": "2021-06-01",
+ "time": "2020-08-07",
"lang": "eng",
"value": "public"
},
{
- "time": "2021-06-01",
+ "time": "2020-08-07",
"lang": "eng",
- "value": "2.4.48 released"
+ "value": "2.4.25 released"
}
],
"CNA_private": {
@@ -5589,9 +5867,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2021-06-01",
- "ID": "CVE-2021-26691",
- "TITLE": "mod_session response handling heap overflow"
+ "DATE_PUBLIC": "2020-08-07",
+ "ID": "CVE-2020-11985",
+ "TITLE": "IP address spoofing when proxying using mod_remoteip and mod_rewrite"
},
"source": {
"defect": [],
@@ -5604,7 +5882,7 @@
"description": [
{
"lang": "eng",
- "value": "mod_session response handling heap overflow"
+ "value": "IP address spoofing when proxying using mod_remoteip and mod_rewrite"
}
]
}
@@ -5613,14 +5891,14 @@
"credit": [
{
"lang": "eng",
- "value": "Discovered internally Christophe Jaillet"
+ "value": ""
}
],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted SessionHeader sent by an origin server could cause a heap overflow"
+ "value": "For configurations using proxying with mod_remoteip and certain mod_rewrite rules, an attacker could spoof their IP address for logging and PHP scripts. Note this issue was fixed in Apache HTTP Server 2.4.24 but was retrospectively allocated a low severity CVE in 2020."
}
]
},
@@ -5640,76 +5918,6 @@
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.46"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.43"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.41"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.39"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.38"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.37"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.35"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.34"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.33"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.29"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.28"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.27"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.26"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.25"
- },
{
"version_name": "2.4",
"version_affected": "=",
@@ -5779,11 +5987,6 @@
"version_name": "2.4",
"version_affected": "=",
"version_value": "2.4.1"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.0"
}
]
}
@@ -5796,111 +5999,101 @@
}
},
{
- "data_type": "CVE",
- "data_format": "MITRE",
- "data_version": "4.0",
- "generator": {
- "engine": "xmltojsonmjc 1.0"
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2022-22720",
+ "STATE": "REVIEW",
+ "TITLE": "HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier"
},
- "references": {},
- "timeline": [
- {
- "time": "2002-09-19",
- "lang": "eng",
- "value": "public"
- },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_affected": "<=",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.52"
+ }
+ ]
+ }
+ }
+ ]
+ },
+ "vendor_name": "Apache Software Foundation"
+ }
+ ]
+ }
+ },
+ "credit": [
{
- "time": "2002-09-24",
"lang": "eng",
- "value": "2.0.42 released"
+ "value": "James Kettle <james.kettle portswigger.net>"
}
],
- "CNA_private": {
- "owner": "httpd"
- },
- "CVE_data_meta": {
- "ASSIGNER": "security@apache.org",
- "AKA": "",
- "STATE": "PUBLIC",
- "DATE_PUBLIC": "2002-09-19",
- "ID": "CVE-2002-1593",
- "TITLE": "mod_dav crash"
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling"
+ }
+ ]
},
- "source": {
- "defect": [],
- "advisory": "",
- "discovery": "UNKNOWN"
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
},
+ "impact": [
+ {
+ "other": "important"
+ }
+ ],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
- "value": "mod_dav crash"
+ "value": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"
}
]
}
]
},
- "description": {
- "description_data": [
+ "references": {
+ "reference_data": [
{
- "lang": "eng",
- "value": "A flaw was found in handling of versioning hooks in mod_dav. An attacker could send a carefully crafted request in such a way to cause the child process handling the connection to crash. This issue will only result in a denial of service where a threaded process model is in use."
+ "refsource": "CONFIRM"
}
]
},
- "impact": [
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
{
- "other": "moderate"
- }
- ],
- "affects": {
- "vendor": {
- "vendor_data": [
- {
- "vendor_name": "Apache Software Foundation",
- "product": {
- "product_data": [
- {
- "product_name": "Apache HTTP Server",
- "version": {
- "version_data": [
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.40"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.39"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.37"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.36"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.35"
- }
- ]
- }
- }
- ]
- }
- }
- ]
+ "lang": "eng",
+ "time": "2021-12-17",
+ "value": "Reported to security team"
+ },
+ {
+ "lang": "eng",
+ "time": "2022-03-07",
+ "value": "fixed by r1898692 in 2.4.x"
+ },
+ {
+ "lang": "eng",
+ "time": "2022-03-14",
+ "value": "2.4.53 released"
}
- }
+ ]
},
{
"data_type": "CVE",
@@ -5912,19 +6105,19 @@
"references": {},
"timeline": [
{
- "time": "2010-02-02",
+ "time": "2003-04-25",
"lang": "eng",
"value": "reported"
},
{
- "time": "2010-03-02",
+ "time": "2003-05-28",
"lang": "eng",
"value": "public"
},
{
- "time": "2010-03-05",
+ "time": "2003-05-28",
"lang": "eng",
- "value": "2.2.15 released"
+ "value": "2.0.46 released"
}
],
"CNA_private": {
@@ -5934,9 +6127,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2010-03-02",
- "ID": "CVE-2010-0408",
- "TITLE": "mod_proxy_ajp DoS"
+ "DATE_PUBLIC": "2003-05-28",
+ "ID": "CVE-2003-0189",
+ "TITLE": "Basic Authentication DoS"
},
"source": {
"defect": [],
@@ -5949,29 +6142,23 @@
"description": [
{
"lang": "eng",
- "value": "mod_proxy_ajp DoS"
+ "value": "Basic Authentication DoS"
}
]
}
]
},
- "credit": [
- {
- "lang": "eng",
- "value": "We would like to thank Niku Toivola of Sulake Corporation for reporting and proposing a patch fix for this issue."
- }
- ],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "mod_proxy_ajp would return the wrong status code if it encountered an error, causing a backend server to be put into an error state until the retry timeout expired. A remote attacker could send malicious requests to trigger this issue, resulting in denial of service."
+ "value": "A build system problem in Apache 2.0.40 through 2.0.45 allows remote attackers to cause a denial of access to authenticated content when a threaded server is used."
}
]
},
"impact": [
{
- "other": "moderate"
+ "other": "important"
}
],
"affects": {
@@ -5986,69 +6173,29 @@
"version": {
"version_data": [
{
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.14"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.13"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.12"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.11"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.10"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.9"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.8"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.6"
- },
- {
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.5"
+ "version_value": "2.0.45"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.4"
+ "version_value": "2.0.44"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.3"
+ "version_value": "2.0.43"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.2"
+ "version_value": "2.0.42"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.0"
+ "version_value": "2.0.40"
}
]
}
@@ -6070,19 +6217,19 @@
"references": {},
"timeline": [
{
- "time": "2021-02-08",
+ "time": "2018-10-08",
"lang": "eng",
"value": "reported"
},
{
- "time": "2021-06-01",
+ "time": "2019-01-22",
"lang": "eng",
"value": "public"
},
{
- "time": "2021-06-01",
+ "time": "2019-02-28",
"lang": "eng",
- "value": "2.4.48 released"
+ "value": "2.4.38 released"
}
],
"CNA_private": {
@@ -6092,9 +6239,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2021-06-01",
- "ID": "CVE-2021-26690",
- "TITLE": "mod_session NULL pointer dereference"
+ "DATE_PUBLIC": "2019-01-22",
+ "ID": "CVE-2018-17199",
+ "TITLE": "mod_session_cookie does not respect expiry time"
},
"source": {
"defect": [],
@@ -6107,7 +6254,7 @@
"description": [
{
"lang": "eng",
- "value": "mod_session NULL pointer dereference"
+ "value": "mod_session_cookie does not respect expiry time"
}
]
}
@@ -6116,14 +6263,14 @@
"credit": [
{
"lang": "eng",
- "value": "This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales)"
+ "value": "The issue was discovered by Diego Angulo from ImExHS."
}
],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service"
+ "value": "In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded."
}
]
},
@@ -6143,31 +6290,6 @@
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.46"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.43"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.41"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.39"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.38"
- },
{
"version_name": "2.4",
"version_affected": "=",
@@ -6188,6 +6310,11 @@
"version_affected": "=",
"version_value": "2.4.33"
},
+ {
+ "version_name": "2.4",
+ "version_affected": "=",
+ "version_value": "2.4.30"
+ },
{
"version_name": "2.4",
"version_affected": "=",
@@ -6308,9 +6435,19 @@
"references": {},
"timeline": [
{
- "time": "2000-10-13",
+ "time": "2004-10-21",
"lang": "eng",
- "value": "1.3.14 released"
+ "value": "reported"
+ },
+ {
+ "time": "2004-10-21",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2004-10-28",
+ "lang": "eng",
+ "value": "1.3.33 released"
}
],
"CNA_private": {
@@ -6320,8 +6457,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "ID": "CVE-2000-0505",
- "TITLE": "Requests can cause directory listing to be displayed on NT"
+ "DATE_PUBLIC": "2004-10-21",
+ "ID": "CVE-2004-0940",
+ "TITLE": "mod_include overflow"
},
"source": {
"defect": [],
@@ -6334,7 +6472,7 @@
"description": [
{
"lang": "eng",
- "value": "Requests can cause directory listing to be displayed on NT"
+ "value": "mod_include overflow"
}
]
}
@@ -6344,7 +6482,7 @@
"description_data": [
{
"lang": "eng",
- "value": "A security hole on Apache for Windows allows a user to view the listing of a directory instead of the default HTML page by sending a carefully constructed request."
+ "value": "A buffer overflow in mod_include could allow a local user who is authorised to create server side include (SSI) files to gain the privileges of a httpd child."
}
]
},
@@ -6367,46 +6505,106 @@
{
"version_name": "1.3",
"version_affected": "=",
- "version_value": "1.3.12"
+ "version_value": "1.3.32"
},
{
"version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.11"
+ "version_affected": "=",
+ "version_value": "1.3.31"
},
{
"version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.9"
- },
+ "version_affected": "=",
+ "version_value": "1.3.29"
+ },
{
"version_name": "1.3",
- "version_affected": "?=",
+ "version_affected": "=",
+ "version_value": "1.3.28"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.27"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.26"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.24"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.22"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.20"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.19"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.17"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.14"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.12"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.11"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
+ "version_value": "1.3.9"
+ },
+ {
+ "version_name": "1.3",
+ "version_affected": "=",
"version_value": "1.3.6"
},
{
"version_name": "1.3",
- "version_affected": "?=",
+ "version_affected": "=",
"version_value": "1.3.4"
},
{
"version_name": "1.3",
- "version_affected": "?=",
+ "version_affected": "=",
"version_value": "1.3.3"
},
{
"version_name": "1.3",
- "version_affected": "?=",
+ "version_affected": "=",
"version_value": "1.3.2"
},
{
"version_name": "1.3",
- "version_affected": "?=",
+ "version_affected": "=",
"version_value": "1.3.1"
},
{
"version_name": "1.3",
- "version_affected": "?=",
+ "version_affected": "=",
"version_value": "1.3.0"
}
]
@@ -6429,24 +6627,141 @@
"references": {},
"timeline": [
{
- "time": "2016-12-05",
+ "time": "2002-12-04",
"lang": "eng",
"value": "reported"
},
{
- "time": "2017-06-19",
+ "time": "2003-01-20",
"lang": "eng",
"value": "public"
},
{
- "time": "2017-06-19",
+ "time": "2003-01-20",
"lang": "eng",
- "value": "2.4.26 released"
+ "value": "2.0.44 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
+ },
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "AKA": "",
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2003-01-20",
+ "ID": "CVE-2003-0016",
+ "TITLE": "MS-DOS device name filtering"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "MS-DOS device name filtering"
+ }
+ ]
+ }
+ ]
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "On Windows platforms Apache did not correctly filter MS-DOS device names which could lead to denial of service attacks or remote code execution."
+ }
+ ]
+ },
+ "impact": [
+ {
+ "other": "critical"
+ }
+ ],
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.43"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "?=",
+ "version_value": "2.0.42"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "?=",
+ "version_value": "2.0.40"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "?=",
+ "version_value": "2.0.39"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "?=",
+ "version_value": "2.0.37"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "?=",
+ "version_value": "2.0.36"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "?=",
+ "version_value": "2.0.35"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2007-12-12",
+ "lang": "eng",
+ "value": "reported"
},
{
- "time": "2017-07-11",
+ "time": "2008-01-02",
"lang": "eng",
- "value": "2.2.34 released"
+ "value": "public"
+ },
+ {
+ "time": "2008-01-19",
+ "lang": "eng",
+ "value": "2.2.8 released"
}
],
"CNA_private": {
@@ -6456,9 +6771,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2017-06-19",
- "ID": "CVE-2017-3169",
- "TITLE": "mod_ssl Null Pointer Dereference"
+ "DATE_PUBLIC": "2008-01-02",
+ "ID": "CVE-2007-6422",
+ "TITLE": "mod_proxy_balancer DoS"
},
"source": {
"defect": [],
@@ -6471,29 +6786,278 @@
"description": [
{
"lang": "eng",
- "value": "mod_ssl Null Pointer Dereference"
+ "value": "mod_proxy_balancer DoS"
+ }
+ ]
+ }
+ ]
+ },
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A flaw was found in the mod_proxy_balancer module. On sites where mod_proxy_balancer is enabled, an authorized user could send a carefully crafted request that would cause the Apache child process handling that request to crash. This could lead to a denial of service if using a threaded Multi-Processing Module."
+ }
+ ]
+ },
+ "impact": [
+ {
+ "other": "low"
+ }
+ ],
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.6"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.5"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.4"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.3"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.2"
+ },
+ {
+ "version_name": "2.2",
+ "version_affected": "=",
+ "version_value": "2.2.0"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "CVE_data_meta": {
+ "ID": "CVE-2021-31618",
+ "ASSIGNER": "security@apache.org",
+ "DATE_PUBLIC": "2021-06-01",
+ "TITLE": "NULL pointer dereference on specially crafted HTTP/2 request",
+ "AKA": "",
+ "STATE": "DRAFT"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "vendor_name": "Apache Software Foundation",
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
+ {
+ "version_name": "",
+ "version_affected": "=",
+ "version_value": "2.4.47",
+ "platform": ""
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "CWE-476 NULL Pointer Dereference"
}
]
}
]
},
+ "description": {
+ "description_data": [
+ {
+ "value": "Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected.\n\nThis rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one rece [...]
+ "lang": "eng"
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM",
+ "url": "",
+ "name": ""
+ }
+ ]
+ },
+ "configuration": [],
+ "impact": [
+ {
+ "other": "important"
+ }
+ ],
+ "exploit": [],
+ "work_around": [
+ {
+ "lang": "eng",
+ "value": "On unpatched servers, the `h2` protocol can be disabled by removing it from the `Protocols` configuration. If the `h2` protocol is not enabled, the server is not affected by this vulnerability."
+ }
+ ],
+ "solution": [],
"credit": [
{
"lang": "eng",
- "value": "We would like to thank Vasileios Panopoulos and AdNovum Informatik AG for reporting this issue."
+ "value": "Apache HTTP server would like to thank LI ZHI XIN from NSFoucs for reporting this."
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd",
+ "publish": {
+ "ym": "",
+ "year": "",
+ "month": ""
+ },
+ "share_with_CVE": true,
+ "CVE_table_description": [],
+ "CVE_list": [],
+ "internal_comments": "",
+ "todo": [],
+ "email": ""
+ },
+ "timeline": [
+ {
+ "time": "2021-04-22",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2021-06-01",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2021-06-01",
+ "lang": "eng",
+ "value": "2.4.48 released"
+ }
+ ]
+ },
+ {
+ "data_type": "CVE",
+ "data_format": "MITRE",
+ "data_version": "4.0",
+ "generator": {
+ "engine": "xmltojsonmjc 1.0"
+ },
+ "references": {},
+ "timeline": [
+ {
+ "time": "2016-07-24",
+ "lang": "eng",
+ "value": "reported"
+ },
+ {
+ "time": "2018-08-14",
+ "lang": "eng",
+ "value": "public"
+ },
+ {
+ "time": "2016-12-20",
+ "lang": "eng",
+ "value": "2.4.25 released"
+ },
+ {
+ "time": "2017-01-13",
+ "lang": "eng",
+ "value": "2.2.32 released"
+ }
+ ],
+ "CNA_private": {
+ "owner": "httpd"
+ },
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "AKA": "",
+ "STATE": "PUBLIC",
+ "DATE_PUBLIC": "2018-08-14",
+ "ID": "CVE-2016-4975",
+ "TITLE": "mod_userdir CRLF injection"
+ },
+ "source": {
+ "defect": [],
+ "advisory": "",
+ "discovery": "UNKNOWN"
+ },
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "mod_userdir CRLF injection"
+ }
+ ]
+ }
+ ]
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "The issue was discovered by Sergey Bobrov"
}
],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port."
+ "value": "Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the \"Location\" or other outbound header key or value."
}
]
},
"impact": [
{
- "other": "important"
+ "other": "moderate"
}
],
"affects": {
@@ -6507,11 +7071,6 @@
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.25"
- },
{
"version_name": "2.4",
"version_affected": "=",
@@ -6582,11 +7141,6 @@
"version_affected": "=",
"version_value": "2.4.1"
},
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.32"
- },
{
"version_name": "2.2",
"version_affected": "=",
@@ -6747,19 +7301,19 @@
"references": {},
"timeline": [
{
- "time": "2019-01-20",
+ "time": "2016-01-20",
"lang": "eng",
"value": "reported"
},
{
- "time": "2019-04-01",
+ "time": "2016-12-20",
"lang": "eng",
"value": "public"
},
{
- "time": "2019-04-01",
+ "time": "2016-12-20",
"lang": "eng",
- "value": "2.4.39 released"
+ "value": "2.4.25 released"
}
],
"CNA_private": {
@@ -6769,9 +7323,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2019-04-01",
- "ID": "CVE-2019-0220",
- "TITLE": "Apache httpd URL normalization inconsistincy"
+ "DATE_PUBLIC": "2016-12-20",
+ "ID": "CVE-2016-0736",
+ "TITLE": "Padding Oracle in Apache mod_session_crypto"
},
"source": {
"defect": [],
@@ -6784,7 +7338,7 @@
"description": [
{
"lang": "eng",
- "value": "Apache httpd URL normalization inconsistincy"
+ "value": "Padding Oracle in Apache mod_session_crypto"
}
]
}
@@ -6793,14 +7347,14 @@
"credit": [
{
"lang": "eng",
- "value": "The issue was discovered by Bernhard Lorenz <be...@alphastrike.io> of Alpha Strike Labs GmbH."
+ "value": "We would like to thank individuals at the RedTeam Pentesting GmbH for reporting this issue."
}
],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them."
+ "value": "Prior to Apache HTTP release 2.4.25, mod_sessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC. An authentication tag (SipHash MAC) is now added to prevent such attacks."
}
]
},
@@ -6823,92 +7377,37 @@
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.38"
+ "version_value": "2.4.23"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.37"
+ "version_value": "2.4.20"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.35"
+ "version_value": "2.4.18"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.34"
+ "version_value": "2.4.17"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.33"
+ "version_value": "2.4.16"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.30"
+ "version_value": "2.4.12"
},
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.29"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.28"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.27"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.26"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.25"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.23"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.20"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.18"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.17"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.16"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.12"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.10"
+ "version_value": "2.4.10"
},
{
"version_name": "2.4",
@@ -6944,11 +7443,6 @@
"version_name": "2.4",
"version_affected": "=",
"version_value": "2.4.1"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.0"
}
]
}
@@ -6960,6 +7454,116 @@
}
}
},
+ {
+ "cveMetadata": {
+ "cveId": "CVE-2006-20001",
+ "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
+ "serial": 1,
+ "state": "PUBLISHED"
+ },
+ "CNA_private": {
+ "emailed": null,
+ "projecturl": "https://httpd.apache.org/",
+ "owner": "httpd",
+ "userslist": "users@httpd.apache.org",
+ "state": "REVIEW",
+ "todo": [],
+ "type": "unsure"
+ },
+ "containers": {
+ "cna": {
+ "providerMetadata": {
+ "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
+ },
+ "title": "mod_dav out of bounds read, or write of zero byte",
+ "problemTypes": [
+ {
+ "descriptions": [
+ {
+ "description": "CWE-787 Out-of-bounds Write",
+ "lang": "en",
+ "cweId": "CWE-787",
+ "type": "CWE"
+ }
+ ]
+ }
+ ],
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "affected": [
+ {
+ "vendor": "Apache Software Foundation",
+ "product": "Apache HTTP Server",
+ "versions": [
+ {
+ "status": "affected",
+ "version": "2.4",
+ "lessThanOrEqual": "2.4.54",
+ "versionType": "semver"
+ }
+ ],
+ "defaultStatus": "unaffected"
+ }
+ ],
+ "descriptions": [
+ {
+ "value": "A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.\n\nThis issue affects Apache HTTP Server 2.4.54 and earlier.\n",
+ "lang": "en",
+ "supportingMedia": [
+ {
+ "type": "text/html",
+ "base64": false,
+ "value": "A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.<br><br>This issue affects Apache HTTP Server 2.4.54 and earlier.<br>"
+ }
+ ]
+ }
+ ],
+ "references": [
+ {
+ "url": "https://httpd.apache.org/security/vulnerabilities_24.html",
+ "tags": [
+ "vendor-advisory"
+ ]
+ }
+ ],
+ "metrics": [
+ {
+ "other": {
+ "type": "Textual description of severity",
+ "content": {
+ "text": "moderate"
+ }
+ }
+ }
+ ],
+ "timeline": [
+ {
+ "time": "2006-10-31T19:00:00.000Z",
+ "lang": "en",
+ "value": "Described in first edition of \"The Art of Software Security Assessment\""
+ },
+ {
+ "time": "2022-08-10T19:00:00.000Z",
+ "lang": "en",
+ "value": "Reported to security team"
+ }
+ ],
+ "x_generator": {
+ "engine": "Vulnogram 0.1.0-dev"
+ }
+ }
+ },
+ "dataType": "CVE_RECORD",
+ "dataVersion": "5.0",
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2023-01-17",
+ "value": "2.4.55 released"
+ }
+ ]
+ },
{
"data_type": "CVE",
"data_format": "MITRE",
@@ -6970,19 +7574,19 @@
"references": {},
"timeline": [
{
- "time": "2003-07-04",
+ "time": "2004-07-07",
"lang": "eng",
"value": "reported"
},
{
- "time": "2003-07-18",
+ "time": "2004-07-07",
"lang": "eng",
"value": "public"
},
{
- "time": "2003-07-18",
+ "time": "2004-09-15",
"lang": "eng",
- "value": "1.3.28 released"
+ "value": "2.0.51 released"
}
],
"CNA_private": {
@@ -6992,9 +7596,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2003-07-18",
- "ID": "CVE-2003-0460",
- "TITLE": "RotateLogs DoS"
+ "DATE_PUBLIC": "2004-07-07",
+ "ID": "CVE-2004-0751",
+ "TITLE": "Malicious SSL proxy can cause crash"
},
"source": {
"defect": [],
@@ -7007,7 +7611,7 @@
"description": [
{
"lang": "eng",
- "value": "RotateLogs DoS"
+ "value": "Malicious SSL proxy can cause crash"
}
]
}
@@ -7017,13 +7621,13 @@
"description_data": [
{
"lang": "eng",
- "value": "The rotatelogs support program on Win32 and OS/2 would quit logging and exit if it received special control characters such as 0x1A."
+ "value": "An issue was discovered in the mod_ssl module in Apache 2.0.44-2.0.50 which could be triggered if the server is configured to allow proxying to a remote SSL server. A malicious remote SSL server could force an httpd child process to crash by sending a carefully crafted response header. This issue is not believed to allow execution of arbitrary code and will only result in a denial of service where a threaded process model is in use."
}
]
},
"impact": [
{
- "other": "important"
+ "other": "low"
}
],
"affects": {
@@ -7038,99 +7642,156 @@
"version": {
"version_data": [
{
- "version_name": "1.3",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "1.3.27"
- },
- {
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.26"
- },
- {
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.24"
- },
- {
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.22"
- },
- {
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.20"
- },
- {
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.19"
- },
- {
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.17"
- },
- {
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.14"
- },
- {
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.12"
+ "version_value": "2.0.50"
},
{
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.11"
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.49"
},
{
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.9"
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.48"
},
{
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.6"
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.47"
},
{
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.4"
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.46"
},
{
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.3"
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.45"
},
{
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.2"
- },
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.44"
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "CVE_data_meta": {
+ "ASSIGNER": "security@apache.org",
+ "ID": "CVE-2021-33193",
+ "STATE": "PUBLIC",
+ "TITLE": "Request splitting via HTTP/2 method injection and mod_proxy"
+ },
+ "affects": {
+ "vendor": {
+ "vendor_data": [
+ {
+ "product": {
+ "product_data": [
+ {
+ "product_name": "Apache HTTP Server",
+ "version": {
+ "version_data": [
{
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.1"
+ "version_affected": "<=",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.48"
},
{
- "version_name": "1.3",
- "version_affected": "?=",
- "version_value": "1.3.0"
+ "version_affected": "!<",
+ "version_name": "Apache HTTP Server 2.4",
+ "version_value": "2.4.17"
}
]
}
}
]
- }
+ },
+ "vendor_name": "Apache Software Foundation"
}
]
}
- }
+ },
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "Reported by James Kettle of PortSwigger"
+ }
+ ],
+ "data_format": "MITRE",
+ "data_type": "CVE",
+ "data_version": "4.0",
+ "description": {
+ "description_data": [
+ {
+ "lang": "eng",
+ "value": "A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning.\n\nThis issue affects Apache HTTP Server 2.4.17 to 2.4.48."
+ }
+ ]
+ },
+ "generator": {
+ "engine": "Vulnogram 0.0.9"
+ },
+ "impact": [
+ {
+ "other": "moderate"
+ }
+ ],
+ "problemtype": {
+ "problemtype_data": [
+ {
+ "description": [
+ {
+ "lang": "eng",
+ "value": "Request Splitting"
+ }
+ ]
+ }
+ ]
+ },
+ "references": {
+ "reference_data": [
+ {
+ "refsource": "CONFIRM",
+ "url": "https://portswigger.net/research/http2"
+ },
+ {
+ "refsource": "CONFIRM",
+ "url": "https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c.patch"
+ }
+ ]
+ },
+ "source": {
+ "discovery": "UNKNOWN"
+ },
+ "timeline": [
+ {
+ "lang": "eng",
+ "time": "2021-05-11",
+ "value": "reported"
+ },
+ {
+ "lang": "eng",
+ "time": "2021-08-06",
+ "value": "public"
+ },
+ {
+ "lang": "eng",
+ "time": "2021-09-16",
+ "value": "2.4.49 released"
+ }
+ ]
},
{
"data_type": "CVE",
@@ -7142,19 +7803,19 @@
"references": {},
"timeline": [
{
- "time": "2008-12-25",
+ "time": "2004-08-05",
"lang": "eng",
"value": "reported"
},
{
- "time": "2009-06-01",
+ "time": "2004-09-15",
"lang": "eng",
"value": "public"
},
{
- "time": "2009-07-27",
+ "time": "2004-09-15",
"lang": "eng",
- "value": "2.2.12 released"
+ "value": "2.0.51 released"
}
],
"CNA_private": {
@@ -7164,9 +7825,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2009-06-01",
- "ID": "CVE-2009-0023",
- "TITLE": "APR-util heap underwrite"
+ "DATE_PUBLIC": "2004-09-15",
+ "ID": "CVE-2004-0747",
+ "TITLE": "Environment variable expansion flaw"
},
"source": {
"defect": [],
@@ -7179,23 +7840,29 @@
"description": [
{
"lang": "eng",
- "value": "APR-util heap underwrite"
+ "value": "Environment variable expansion flaw"
}
]
}
]
},
+ "credit": [
+ {
+ "lang": "eng",
+ "value": "We would like to thank the Swedish IT Incident Centre (SITIC) for reporting this issue."
+ }
+ ],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "A heap-based underwrite flaw was found in the way the bundled copy of the APR-util library created compiled forms of particular search patterns. An attacker could formulate a specially-crafted search keyword, that would overwrite arbitrary heap memory locations when processed by the pattern preparation engine."
+ "value": "A buffer overflow was found in the expansion of environment variables during configuration file parsing. This issue could allow a local user to gain the privileges of a httpd child if a server can be forced to parse a carefully crafted .htaccess file written by a local user."
}
]
},
"impact": [
{
- "other": "moderate"
+ "other": "low"
}
],
"affects": {
@@ -7210,54 +7877,74 @@
"version": {
"version_data": [
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.11"
+ "version_value": "2.0.50"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.10"
+ "version_value": "2.0.49"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.9"
+ "version_value": "2.0.48"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.8"
+ "version_value": "2.0.47"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.6"
+ "version_value": "2.0.46"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.5"
+ "version_value": "2.0.45"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.4"
+ "version_value": "2.0.44"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.3"
+ "version_value": "2.0.43"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.2"
+ "version_value": "2.0.42"
},
{
- "version_name": "2.2",
+ "version_name": "2.0",
"version_affected": "=",
- "version_value": "2.2.0"
+ "version_value": "2.0.40"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.39"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.37"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.36"
+ },
+ {
+ "version_name": "2.0",
+ "version_affected": "=",
+ "version_value": "2.0.35"
}
]
}
@@ -7279,29 +7966,19 @@
"references": {},
"timeline": [
{
- "time": "2007-12-15",
+ "time": "2004-08-25",
"lang": "eng",
"value": "reported"
},
{
- "time": "2008-01-02",
+ "time": "2004-09-15",
"lang": "eng",
"value": "public"
},
{
- "time": "2008-01-19",
- "lang": "eng",
- "value": "2.2.8 released"
- },
- {
- "time": "2008-01-19",
- "lang": "eng",
- "value": "2.0.63 released"
- },
- {
- "time": "2008-01-19",
+ "time": "2004-09-15",
"lang": "eng",
- "value": "1.3.41 released"
+ "value": "2.0.51 released"
}
],
"CNA_private": {
@@ -7311,9 +7988,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2008-01-02",
- "ID": "CVE-2007-6388",
- "TITLE": "mod_status XSS"
+ "DATE_PUBLIC": "2004-09-15",
+ "ID": "CVE-2004-0786",
+ "TITLE": "IPv6 URI parsing heap overflow"
},
"source": {
"defect": [],
@@ -7326,7 +8003,7 @@
"description": [
{
"lang": "eng",
- "value": "mod_status XSS"
+ "value": "IPv6 URI parsing heap overflow"
}
]
}
@@ -7336,13 +8013,13 @@
"description_data": [
{
"lang": "eng",
- "value": "A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available."
+ "value": "Testing using the Codenomicon HTTP Test Tool performed by the Apache Software Foundation security group and Red Hat uncovered an input validation issue in the IPv6 URI parsing routines in the apr-util library. If a remote attacker sent a request including a carefully crafted URI, an httpd child process could be made to crash. One some BSD systems it is believed this flaw may be able to lead to remote code execution."
}
]
},
"impact": [
{
- "other": "moderate"
+ "other": "critical"
}
],
"affects": {
@@ -7356,76 +8033,6 @@
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.6"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.5"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.4"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.3"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.2"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.0"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.61"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.59"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.58"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.55"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.54"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.53"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.52"
- },
- {
- "version_name": "2.0",
- "version_affected": "=",
- "version_value": "2.0.51"
- },
{
"version_name": "2.0",
"version_affected": "=",
@@ -7495,131 +8102,6 @@
"version_name": "2.0",
"version_affected": "=",
"version_value": "2.0.35"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.39"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.37"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.36"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.35"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.34"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.33"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.32"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.31"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.29"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.28"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.27"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.26"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.24"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.22"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.20"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.19"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.17"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.14"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.12"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.11"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.9"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.6"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.4"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.3"
- },
- {
- "version_name": "1.3",
- "version_affected": "=",
- "version_value": "1.3.2"
}
]
}
@@ -7641,24 +8123,24 @@
"references": {},
"timeline": [
{
- "time": "2014-06-16",
+ "time": "2017-05-06",
"lang": "eng",
"value": "reported"
},
{
- "time": "2014-07-14",
+ "time": "2017-06-19",
"lang": "eng",
"value": "public"
},
{
- "time": "2014-07-15",
+ "time": "2017-06-19",
"lang": "eng",
- "value": "2.4.10 released"
+ "value": "2.4.26 released"
},
{
- "time": "2014-09-03",
+ "time": "2017-07-11",
"lang": "eng",
- "value": "2.2.29 released"
+ "value": "2.2.34 released"
}
],
"CNA_private": {
@@ -7668,9 +8150,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2014-07-14",
- "ID": "CVE-2014-0231",
- "TITLE": "mod_cgid denial of service"
+ "DATE_PUBLIC": "2017-06-19",
+ "ID": "CVE-2017-7668",
+ "TITLE": "ap_find_token() Buffer Overread"
},
"source": {
"defect": [],
@@ -7683,7 +8165,7 @@
"description": [
{
"lang": "eng",
- "value": "mod_cgid denial of service"
+ "value": "ap_find_token() Buffer Overread"
}
]
}
@@ -7692,14 +8174,14 @@
"credit": [
{
"lang": "eng",
- "value": "This issue was reported by Rainer Jung of the ASF"
+ "value": "We would like to thank Javier Jim\u00e9nez (javijmor@gmail.com) for reporting this issue."
}
],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI scripts which did not consume standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service."
+ "value": "The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value."
}
]
},
@@ -7722,167 +8204,12 @@
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.9"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.7"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.6"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.4"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.3"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.2"
- },
- {
- "version_name": "2.4",
- "version_affected": "=",
- "version_value": "2.4.1"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.27"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.26"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.25"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.24"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.23"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.22"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.21"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.20"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.19"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.18"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.17"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.16"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.15"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.14"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.13"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.12"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.11"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.10"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.9"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.8"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.6"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.5"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.4"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.3"
- },
- {
- "version_name": "2.2",
- "version_affected": "=",
- "version_value": "2.2.2"
+ "version_value": "2.4.25"
},
{
"version_name": "2.2",
"version_affected": "=",
- "version_value": "2.2.0"
+ "version_value": "2.2.32"
}
]
}
@@ -7904,19 +8231,19 @@
"references": {},
"timeline": [
{
- "time": "2019-01-01",
+ "time": "2015-02-03",
"lang": "eng",
"value": "reported"
},
{
- "time": "2019-01-22",
+ "time": "2015-03-05",
"lang": "eng",
"value": "public"
},
{
- "time": "2019-02-28",
+ "time": "2015-07-15",
"lang": "eng",
- "value": "2.4.38 released"
+ "value": "2.4.16 released"
}
],
"CNA_private": {
@@ -7926,9 +8253,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2019-01-22",
- "ID": "CVE-2019-0190",
- "TITLE": "mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1"
+ "DATE_PUBLIC": "2015-03-05",
+ "ID": "CVE-2015-0253",
+ "TITLE": "Crash in ErrorDocument 400 handling"
},
"source": {
"defect": [],
@@ -7941,29 +8268,23 @@
"description": [
{
"lang": "eng",
- "value": "mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1"
+ "value": "Crash in ErrorDocument 400 handling"
}
]
}
]
},
- "credit": [
- {
- "lang": "eng",
- "value": "The issue was discovered through user bug reports."
- }
- ],
"description": {
"description_data": [
{
"lang": "eng",
- "value": "A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts."
+ "value": "A crash in ErrorDocument handling was found. If ErrorDocument 400 was configured pointing to a local URL-path with the INCLUDES filter active, a NULL dereference would occur when handling the error, causing the child process to crash. This issue affected the 2.4.12 release only."
}
]
},
"impact": [
{
- "other": "important"
+ "other": "low"
}
],
"affects": {
@@ -7980,7 +8301,7 @@
{
"version_name": "2.4",
"version_affected": "=",
- "version_value": "2.4.37"
+ "version_value": "2.4.12"
}
]
}
@@ -8002,14 +8323,14 @@
"references": {},
"timeline": [
{
- "time": "2002-04-22",
+ "time": "2004-05-17",
"lang": "eng",
"value": "public"
},
{
- "time": "2002-05-08",
+ "time": "2004-07-01",
"lang": "eng",
- "value": "2.0.36 released"
+ "value": "2.0.50 released"
}
],
"CNA_private": {
@@ -8019,9 +8340,9 @@
"ASSIGNER": "security@apache.org",
"AKA": "",
"STATE": "PUBLIC",
- "DATE_PUBLIC": "2002-04-22",
- "ID": "CVE-2002-1592",
- "TITLE": "Warning messages could be displayed to users"
+ "DATE_PUBLIC": "2004-05-17",
+ "ID": "CVE-2004-0488",
+ "TITLE": "FakeBasicAuth overflow"
},
"source": {
"defect": [],
@@ -8034,7 +8355,7 @@
"description": [
{
"lang": "eng",
- "value": "Warning messages could be displayed to users"
+ "value": "FakeBasicAuth overflow"
}
]
}
@@ -8044,7 +8365,7 @@
"description_data": [
{
"lang": "eng",
- "value": "In some cases warning messages could get returned to end users in addition to being recorded in the error log. This could reveal the path to a CGI script for example, a minor security exposure."
... 34777 lines suppressed ...