Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-40438: Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVE

Related news

CVE-2021-41524: Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project

While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.

CVE-2021-41773: Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

Apache Warns of Zero-Day Exploit in the Wild — Patch You Web Servers Now!

Apache has issued patches to address two security vulnerabilities, including a path traversal and file disclosure flaw in its HTTP server that it said is being actively exploited in the wild. "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root," the open-source

CVE-2021-36160: Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project

A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive).

CVE-2021-34798: Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project

Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVE-2021-39275: Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project

ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907